Not to be fixed
Created: Apr 9, 2026
Updated: Apr 17, 2026
Resolved Date: Apr 17, 2026
Found In Version: 10.23.30.2
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Userspace
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request body into
memory.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
"========Wind River Notice========"
Refer to https://ubuntu.com/security/CVE-2026-33034
The fix requires a seekable LimitedStream[1]. Older Django versions (4.2a1 and earlier) lack this capability, making backporting impractical without breaking compatibility.
[1] https://github.com/django/django/commit/b47f2f5b907732d80b164f1f361ae39da94a3fa6
