CVE-2026-21441

high

Description

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21441.json

https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html

https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99

https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b

https://bugzilla.redhat.com/show_bug.cgi?id=2427726

https://access.redhat.com/security/cve/CVE-2026-21441

https://access.redhat.com/errata/RHSA-2026:8501

https://access.redhat.com/errata/RHSA-2026:8500

https://access.redhat.com/errata/RHSA-2026:8151

https://access.redhat.com/errata/RHSA-2026:6292

https://access.redhat.com/errata/RHSA-2026:6287

https://access.redhat.com/errata/RHSA-2026:5459

https://access.redhat.com/errata/RHSA-2026:4467

https://access.redhat.com/errata/RHSA-2026:4466

https://access.redhat.com/errata/RHSA-2026:4271

https://access.redhat.com/errata/RHSA-2026:4215

https://access.redhat.com/errata/RHSA-2026:4185

https://access.redhat.com/errata/RHSA-2026:3960

https://access.redhat.com/errata/RHSA-2026:3884

https://access.redhat.com/errata/RHSA-2026:3874

https://access.redhat.com/errata/RHSA-2026:3869

https://access.redhat.com/errata/RHSA-2026:3782

https://access.redhat.com/errata/RHSA-2026:3713

https://access.redhat.com/errata/RHSA-2026:3462

https://access.redhat.com/errata/RHSA-2026:3461

https://access.redhat.com/errata/RHSA-2026:3444

https://access.redhat.com/errata/RHSA-2026:3406

https://access.redhat.com/errata/RHSA-2026:33154

https://access.redhat.com/errata/RHSA-2026:3296

https://access.redhat.com/errata/RHSA-2026:2926

https://access.redhat.com/errata/RHSA-2026:2925

https://access.redhat.com/errata/RHSA-2026:2924

https://access.redhat.com/errata/RHSA-2026:2919

https://access.redhat.com/errata/RHSA-2026:2911

https://access.redhat.com/errata/RHSA-2026:2900

https://access.redhat.com/errata/RHSA-2026:28441

https://access.redhat.com/errata/RHSA-2026:28043

https://access.redhat.com/errata/RHSA-2026:2765

https://access.redhat.com/errata/RHSA-2026:2764

https://access.redhat.com/errata/RHSA-2026:2762

https://access.redhat.com/errata/RHSA-2026:2760

https://access.redhat.com/errata/RHSA-2026:2728

https://access.redhat.com/errata/RHSA-2026:2723

https://access.redhat.com/errata/RHSA-2026:2718

https://access.redhat.com/errata/RHSA-2026:2717

https://access.redhat.com/errata/RHSA-2026:2695

https://access.redhat.com/errata/RHSA-2026:2681

https://access.redhat.com/errata/RHSA-2026:2563

https://access.redhat.com/errata/RHSA-2026:25127

https://access.redhat.com/errata/RHSA-2026:2500

https://access.redhat.com/errata/RHSA-2026:2456

https://access.redhat.com/errata/RHSA-2026:2256

https://access.redhat.com/errata/RHSA-2026:2144

https://access.redhat.com/errata/RHSA-2026:2139

https://access.redhat.com/errata/RHSA-2026:2137

https://access.redhat.com/errata/RHSA-2026:2126

https://access.redhat.com/errata/RHSA-2026:2106

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:1957

https://access.redhat.com/errata/RHSA-2026:1942

https://access.redhat.com/errata/RHSA-2026:1805

https://access.redhat.com/errata/RHSA-2026:1803

https://access.redhat.com/errata/RHSA-2026:1794

https://access.redhat.com/errata/RHSA-2026:1793

https://access.redhat.com/errata/RHSA-2026:1792

https://access.redhat.com/errata/RHSA-2026:1791

https://access.redhat.com/errata/RHSA-2026:17463

https://access.redhat.com/errata/RHSA-2026:17462

https://access.redhat.com/errata/RHSA-2026:17461

https://access.redhat.com/errata/RHSA-2026:17460

https://access.redhat.com/errata/RHSA-2026:17457

https://access.redhat.com/errata/RHSA-2026:17456

https://access.redhat.com/errata/RHSA-2026:1736

https://access.redhat.com/errata/RHSA-2026:1735

https://access.redhat.com/errata/RHSA-2026:1734

https://access.redhat.com/errata/RHSA-2026:1730

https://access.redhat.com/errata/RHSA-2026:1729

https://access.redhat.com/errata/RHSA-2026:1726

https://access.redhat.com/errata/RHSA-2026:1717

https://access.redhat.com/errata/RHSA-2026:1712

https://access.redhat.com/errata/RHSA-2026:1706

https://access.redhat.com/errata/RHSA-2026:1704

https://access.redhat.com/errata/RHSA-2026:1693

https://access.redhat.com/errata/RHSA-2026:1676

https://access.redhat.com/errata/RHSA-2026:1674

https://access.redhat.com/errata/RHSA-2026:1652

https://access.redhat.com/errata/RHSA-2026:1619

https://access.redhat.com/errata/RHSA-2026:1618

https://access.redhat.com/errata/RHSA-2026:1609

https://access.redhat.com/errata/RHSA-2026:1599

https://access.redhat.com/errata/RHSA-2026:1596

https://access.redhat.com/errata/RHSA-2026:1546

https://access.redhat.com/errata/RHSA-2026:1504

https://access.redhat.com/errata/RHSA-2026:14877

https://access.redhat.com/errata/RHSA-2026:1485

https://access.redhat.com/errata/RHSA-2026:1254

https://access.redhat.com/errata/RHSA-2026:1241

https://access.redhat.com/errata/RHSA-2026:1240

https://access.redhat.com/errata/RHSA-2026:1239

https://access.redhat.com/errata/RHSA-2026:1226

https://access.redhat.com/errata/RHSA-2026:1224

https://access.redhat.com/errata/RHSA-2026:1176

https://access.redhat.com/errata/RHSA-2026:1168

https://access.redhat.com/errata/RHSA-2026:1166

https://access.redhat.com/errata/RHSA-2026:1089

https://access.redhat.com/errata/RHSA-2026:1088

https://access.redhat.com/errata/RHSA-2026:1087

https://access.redhat.com/errata/RHSA-2026:1086

https://access.redhat.com/errata/RHSA-2026:1042

https://access.redhat.com/errata/RHSA-2026:1041

https://access.redhat.com/errata/RHSA-2026:1038

https://access.redhat.com/errata/RHSA-2026:10184

https://access.redhat.com/errata/RHSA-2026:0990

https://access.redhat.com/errata/RHSA-2026:0981

Details

Source: Mitre, NVD

Published: 2026-01-07

Updated: 2026-07-03

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 8.9

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Severity: High

EPSS

EPSS: 0.00014