UBUNTU-CVE-2026-28356

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-28356

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28356.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-28356

Upstream

CVE-2026-28356

Published

2026-03-12T17:16:00Z

Modified

2026-03-19T08:48:06.843560Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parseoptionsheader() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

References

Affected packages

Ubuntu:25.10 / multipart

Package

Name: multipart
Purl: pkg:deb/ubuntu/multipart@1.2.1-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-multipart",
            "binary_version": "1.2.1-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28356.json"