urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21441.json
https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
https://bugzilla.redhat.com/show_bug.cgi?id=2427726
https://access.redhat.com/security/cve/CVE-2026-21441
https://access.redhat.com/errata/RHSA-2026:8501
https://access.redhat.com/errata/RHSA-2026:8500
https://access.redhat.com/errata/RHSA-2026:8151
https://access.redhat.com/errata/RHSA-2026:6292
https://access.redhat.com/errata/RHSA-2026:6287
https://access.redhat.com/errata/RHSA-2026:5459
https://access.redhat.com/errata/RHSA-2026:4467
https://access.redhat.com/errata/RHSA-2026:4466
https://access.redhat.com/errata/RHSA-2026:4271
https://access.redhat.com/errata/RHSA-2026:4215
https://access.redhat.com/errata/RHSA-2026:4185
https://access.redhat.com/errata/RHSA-2026:3960
https://access.redhat.com/errata/RHSA-2026:3884
https://access.redhat.com/errata/RHSA-2026:3874
https://access.redhat.com/errata/RHSA-2026:3869
https://access.redhat.com/errata/RHSA-2026:3782
https://access.redhat.com/errata/RHSA-2026:3713
https://access.redhat.com/errata/RHSA-2026:3462
https://access.redhat.com/errata/RHSA-2026:3461
https://access.redhat.com/errata/RHSA-2026:3444
https://access.redhat.com/errata/RHSA-2026:3406
https://access.redhat.com/errata/RHSA-2026:33154
https://access.redhat.com/errata/RHSA-2026:3296
https://access.redhat.com/errata/RHSA-2026:2926
https://access.redhat.com/errata/RHSA-2026:2925
https://access.redhat.com/errata/RHSA-2026:2924
https://access.redhat.com/errata/RHSA-2026:2919
https://access.redhat.com/errata/RHSA-2026:2911
https://access.redhat.com/errata/RHSA-2026:2900
https://access.redhat.com/errata/RHSA-2026:28441
https://access.redhat.com/errata/RHSA-2026:28043
https://access.redhat.com/errata/RHSA-2026:2765
https://access.redhat.com/errata/RHSA-2026:2764
https://access.redhat.com/errata/RHSA-2026:2762
https://access.redhat.com/errata/RHSA-2026:2760
https://access.redhat.com/errata/RHSA-2026:2728
https://access.redhat.com/errata/RHSA-2026:2723
https://access.redhat.com/errata/RHSA-2026:2718
https://access.redhat.com/errata/RHSA-2026:2717
https://access.redhat.com/errata/RHSA-2026:2695
https://access.redhat.com/errata/RHSA-2026:2681
https://access.redhat.com/errata/RHSA-2026:2563
https://access.redhat.com/errata/RHSA-2026:25127
https://access.redhat.com/errata/RHSA-2026:2500
https://access.redhat.com/errata/RHSA-2026:2456
https://access.redhat.com/errata/RHSA-2026:2256
https://access.redhat.com/errata/RHSA-2026:2144
https://access.redhat.com/errata/RHSA-2026:2139
https://access.redhat.com/errata/RHSA-2026:2137
https://access.redhat.com/errata/RHSA-2026:2126
https://access.redhat.com/errata/RHSA-2026:2106
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:1957
https://access.redhat.com/errata/RHSA-2026:1942
https://access.redhat.com/errata/RHSA-2026:1805
https://access.redhat.com/errata/RHSA-2026:1803
https://access.redhat.com/errata/RHSA-2026:1794
https://access.redhat.com/errata/RHSA-2026:1793
https://access.redhat.com/errata/RHSA-2026:1792
https://access.redhat.com/errata/RHSA-2026:1791
https://access.redhat.com/errata/RHSA-2026:17463
https://access.redhat.com/errata/RHSA-2026:17462
https://access.redhat.com/errata/RHSA-2026:17461
https://access.redhat.com/errata/RHSA-2026:17460
https://access.redhat.com/errata/RHSA-2026:17457
https://access.redhat.com/errata/RHSA-2026:17456
https://access.redhat.com/errata/RHSA-2026:1736
https://access.redhat.com/errata/RHSA-2026:1735
https://access.redhat.com/errata/RHSA-2026:1734
https://access.redhat.com/errata/RHSA-2026:1730
https://access.redhat.com/errata/RHSA-2026:1729
https://access.redhat.com/errata/RHSA-2026:1726
https://access.redhat.com/errata/RHSA-2026:1717
https://access.redhat.com/errata/RHSA-2026:1712
https://access.redhat.com/errata/RHSA-2026:1706
https://access.redhat.com/errata/RHSA-2026:1704
https://access.redhat.com/errata/RHSA-2026:1693
https://access.redhat.com/errata/RHSA-2026:1676
https://access.redhat.com/errata/RHSA-2026:1674
https://access.redhat.com/errata/RHSA-2026:1652
https://access.redhat.com/errata/RHSA-2026:1619
https://access.redhat.com/errata/RHSA-2026:1618
https://access.redhat.com/errata/RHSA-2026:1609
https://access.redhat.com/errata/RHSA-2026:1599
https://access.redhat.com/errata/RHSA-2026:1596
https://access.redhat.com/errata/RHSA-2026:1546
https://access.redhat.com/errata/RHSA-2026:1504
https://access.redhat.com/errata/RHSA-2026:14877
https://access.redhat.com/errata/RHSA-2026:1485
https://access.redhat.com/errata/RHSA-2026:1254
https://access.redhat.com/errata/RHSA-2026:1241
https://access.redhat.com/errata/RHSA-2026:1240
https://access.redhat.com/errata/RHSA-2026:1239
https://access.redhat.com/errata/RHSA-2026:1226
https://access.redhat.com/errata/RHSA-2026:1224
https://access.redhat.com/errata/RHSA-2026:1176
https://access.redhat.com/errata/RHSA-2026:1168
https://access.redhat.com/errata/RHSA-2026:1166
https://access.redhat.com/errata/RHSA-2026:1089
https://access.redhat.com/errata/RHSA-2026:1088
https://access.redhat.com/errata/RHSA-2026:1087
https://access.redhat.com/errata/RHSA-2026:1086
https://access.redhat.com/errata/RHSA-2026:1042
https://access.redhat.com/errata/RHSA-2026:1041
https://access.redhat.com/errata/RHSA-2026:1038
https://access.redhat.com/errata/RHSA-2026:10184
Published: 2026-01-07
Updated: 2026-07-03
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Severity: High
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: High
Base Score: 8.9
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Severity: High
EPSS: 0.00014