CVE-2026-44432

EUVD-2026-30047
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
Affected Products (NVD)
VendorProductVersion
pythonurllib3
2.6.0 ≤
𝑥
< 2.7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bookworm
1.26.12-1+deb12u3
fixed
bookworm (security)
1.26.12-1+deb12u4
fixed
bullseye
1.26.5-1~exp1
fixed
bullseye (security)
1.26.5-1~exp1+deb11u4
fixed
forky
vulnerable
sid
vulnerable
trixie
2.3.0-3+deb13u1
fixed
trixie (security)
2.3.0-3+deb13u2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
python3-urllib3
RHEL 9
0:1.26.5-8.el9_8
fixed
python3.12-urllib3
RHEL 9
0:1.26.19-3.el9_8
fixed
python3.14-urllib3
RHEL 9
0:2.6.3-2.el9_8
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j