8.9

CVE-2026-44432

urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonUrllib3 Version >= 2.6.0 < 2.7.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.68% 0.477
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 8.9 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

https://bugzilla.redhat.com/show_bug.cgi?id=2477154
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44432.json
https://access.redhat.com/errata/RHSA-2026:30078
https://access.redhat.com/errata/RHSA-2026:30087
https://access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:20338
https://access.redhat.com/errata/RHSA-2026:25039
https://access.redhat.com/errata/RHSA-2026:34374
https://access.redhat.com/errata/RHSA-2026:33313
https://access.redhat.com/errata/RHSA-2026:34160
https://access.redhat.com/errata/RHSA-2026:22934
https://access.redhat.com/errata/RHSA-2026:36350
https://access.redhat.com/errata/RHSA-2026:28571
https://access.redhat.com/errata/RHSA-2026:30076
https://access.redhat.com/errata/RHSA-2026:33683
https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j
Vendor Advisory
Mitigation
https://access.redhat.com/errata/RHSA-2026:15862
https://access.redhat.com/errata/RHSA-2026:24000
https://access.redhat.com/errata/RHSA-2026:24009
https://access.redhat.com/errata/RHSA-2026:24014
https://access.redhat.com/errata/RHSA-2026:24069
https://access.redhat.com/errata/RHSA-2026:24374
https://access.redhat.com/errata/RHSA-2026:24476
https://access.redhat.com/errata/RHSA-2026:24483
https://access.redhat.com/errata/RHSA-2026:24540
https://access.redhat.com/errata/RHSA-2026:24541
https://access.redhat.com/errata/RHSA-2026:24542
https://access.redhat.com/errata/RHSA-2026:24544
https://access.redhat.com/errata/RHSA-2026:25143
https://access.redhat.com/errata/RHSA-2026:25928
https://access.redhat.com/errata/RHSA-2026:26212
https://access.redhat.com/errata/RHSA-2026:26304
https://access.redhat.com/errata/RHSA-2026:27929
https://access.redhat.com/errata/RHSA-2026:28000
https://access.redhat.com/errata/RHSA-2026:28157
https://access.redhat.com/errata/RHSA-2026:28158
https://access.redhat.com/errata/RHSA-2026:28159
https://access.redhat.com/errata/RHSA-2026:32992
https://access.redhat.com/errata/RHSA-2026:34526
https://access.redhat.com/errata/RHSA-2026:34531
https://access.redhat.com/errata/RHSA-2026:34533
https://access.redhat.com/errata/RHSA-2026:34607
https://access.redhat.com/errata/RHSA-2026:7625
https://access.redhat.com/errata/RHSA-2026:7634
https://access.redhat.com/security/cve/CVE-2026-44432
https://access.redhat.com/errata/RHSA-2026:37275