CVE-2026-33034
Publication date 7 April 2026
Last updated 7 April 2026
Ubuntu priority
Description
Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
Read the notes from the security team
Why is this CVE low priority?
Django developers have rated this as being a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored |
Notes
mdeslaur
The fix for this issue relies on LimitedStream being seekable, but in jammy and older, that is not the case. LimitedStream in recent versions was changed to use IOBase here: https://github.com/django/django/commit/b47f2f5b907732d80b164f1f361ae39da94a3fa6 We likely can't backport that change as it would break compatibility, so we will not be fixing this issue in jammy and earlier releases.
References
Related Ubuntu Security Notices (USN)
- USN-8154-1
- Django vulnerabilities
- 7 April 2026