CVE-2026-54280
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In the AIOHTTP library before version 3.14.1, payload resources are not properly closed when a client disconnects during a write operation. This can lead to temporary resource exhaustion, such as open file handles, until they are released by garbage collection.
Risk Assessment
An attacker can intentionally disconnect while sending data, causing limited resources (e.g., file handles) to be locked, leading to denial of service (DoS) for other users.
Recommendation
Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix that closes resources upon client disconnection.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

