CVE-2026-44432
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the request
CVSS
7.5
Alto
EPSS
0.7%
p48
KEV
—
Exploit Today
14
0-100
Publicado: 13 may 2026 · Última mod.: 16 jul 2026 · CWE-409
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
- github.comhttps://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:15862
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20338
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22934
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24000
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24009
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24014
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24069
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24374
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24476
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24483
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24540
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24541
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24542
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24544
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25039
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25143
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25928
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26212
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26304