CVE-2026-49855

EUVD-2026-44505
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
tornadowebtornado
𝑥
< 6.5.6
CNA
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python3-tornado
suse enterprise sap 15 SP4
4.5.3-150000.3.22.1
fixed
suse enterprise sap 15 SP5
4.5.3-150000.3.22.1
fixed
suse enterprise sap 15 SP6
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP4
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP5
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP6
4.5.3-150000.3.22.1
fixed
python311-tornado6
suse enterprise desktop 15 SP7
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP4
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP5
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP6
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP7
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP4
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP5
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP6
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP7
6.3.2-150400.9.18.1
fixed