Medium severity6.6GHSA Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines

CVE-2026-54277

Description

Summary

It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser.

Impact

If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/5ab61bb4cd88f19b712f12c7c9295fe262bf804d

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Aio Libs/AiohttpGHSA
Range: <= 3.14.0
osv-coords10 versions
pkg:apk/chainguard/authentik-2026.2 pkg:apk/chainguard/authentik-fips-2026.2 pkg:apk/chainguard/metaflow-service-fips pkg:apk/chainguard/mlflow pkg:apk/chainguard/mlflow-fips pkg:apk/chainguard/request-1276 pkg:apk/chainguard/text-generation-inference pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0 pkg:apk/wolfi/mlflow pkg:pypi/aiohttp
< 2026.2.4-r4+ 9 more
- (no CPE)range: < 2026.2.4-r4
- (no CPE)range: < 2026.2.4-r3
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 0.29.0-r1
- (no CPE)range: < 3.3.7-r16
- (no CPE)range: < 25.11-r9
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.14.1

Patches

Vulnerability mechanics

Root cause

"The C HTTP parser checked only the length of each individual fragment rather than the accumulated buffer length, allowing oversized lines to bypass the max_line_size limit."

Attack vector

An attacker sends an HTTP request whose request target (or a response whose reason phrase) is longer than the configured `max_line_size` (default 8190 bytes), but splits the line across multiple TCP segments so that each individual chunk the parser receives is under the limit. Because the C parser checked only the fragment length, the accumulated line could exceed the limit without raising `LineTooLong`, potentially causing excessive memory consumption and a denial-of-service condition. This affects the default C parser used in pre-built wheels.

Affected code

The bug is in the C HTTP parser's `cb_on_url` and `cb_on_status` callback functions in `aiohttp/_http_parser.pyx`. These callbacks checked only the length of each individual fragment (`length > pyparser._max_line_size`) rather than the accumulated buffer length (`len(pyparser._buf) + length > pyparser._max_line_size`), allowing an oversized request target or response reason phrase to bypass the limit when split across multiple reads.

What the fix does

The patch changes the two checks in `cb_on_url` and `cb_on_status` from `length > pyparser._max_line_size` to `len(pyparser._buf) + length > pyparser._max_line_size`. This ensures the total accumulated line length is compared against the limit, not just the current fragment. The fix aligns the C parser's behavior with the pure-Python parser, which already performed the accumulated-length check.

Preconditions

configThe server must use the default C HTTP parser (pre-built wheels).
networkThe attacker must be able to send an HTTP request whose request target or response reason phrase is split across multiple TCP segments.
inputThe total length of the request target or reason phrase must exceed the max_line_size limit (default 8190 bytes).

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Aiohttp: Nine CVEs Disclosed in a Single Day, Five Memory-Exhaustion DoS Flaws
Vypr Intelligence · Jun 15, 2026

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000