CVE Vulnerabilities

CVE-2026-54280

Improper Resource Shutdown or Release

Published: Jun 22, 2026 | Modified: Jun 26, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

Weakness

The product does not release or incorrectly releases a resource before it is made available for re-use.

Affected Software

NameVendorStart VersionEnd Version
AiohttpAiohttp*3.14.1 (excluding)
Python-aiohttpUbuntuupstream*

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.

References