CVE-2026-22815 — aiohttp allows unlimited trailer headers, leading to possible uncapped memory us

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

How to fix CVE-2026-22815

To remediate CVE-2026-22815, upgrade the affected package to a fixed version below.

Debian/python-aiohttp—no fix listed
PyPI/aiohttp—upgrade to 3.13.4 or later

Is CVE-2026-22815 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 3.13.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22815
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-22815
PATCHgithub.com/aio-libs/aiohttp
WEBgithub.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36