CVE-2026-44432

high

Description

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44432.json

https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j

https://bugzilla.redhat.com/show_bug.cgi?id=2477154

https://access.redhat.com/security/cve/CVE-2026-44432

https://access.redhat.com/errata/RHSA-2026:7634

https://access.redhat.com/errata/RHSA-2026:7625

https://access.redhat.com/errata/RHSA-2026:37275

https://access.redhat.com/errata/RHSA-2026:36350

https://access.redhat.com/errata/RHSA-2026:34607

https://access.redhat.com/errata/RHSA-2026:34533

https://access.redhat.com/errata/RHSA-2026:34531

https://access.redhat.com/errata/RHSA-2026:34526

https://access.redhat.com/errata/RHSA-2026:34374

https://access.redhat.com/errata/RHSA-2026:34160

https://access.redhat.com/errata/RHSA-2026:33683

https://access.redhat.com/errata/RHSA-2026:33313

https://access.redhat.com/errata/RHSA-2026:32992

https://access.redhat.com/errata/RHSA-2026:30089

https://access.redhat.com/errata/RHSA-2026:30088

https://access.redhat.com/errata/RHSA-2026:30087

https://access.redhat.com/errata/RHSA-2026:30078

https://access.redhat.com/errata/RHSA-2026:30076

https://access.redhat.com/errata/RHSA-2026:28571

https://access.redhat.com/errata/RHSA-2026:28159

https://access.redhat.com/errata/RHSA-2026:28158

https://access.redhat.com/errata/RHSA-2026:28157

https://access.redhat.com/errata/RHSA-2026:28000

https://access.redhat.com/errata/RHSA-2026:27929

https://access.redhat.com/errata/RHSA-2026:26304

https://access.redhat.com/errata/RHSA-2026:26212

https://access.redhat.com/errata/RHSA-2026:25928

https://access.redhat.com/errata/RHSA-2026:25143

https://access.redhat.com/errata/RHSA-2026:25039

https://access.redhat.com/errata/RHSA-2026:24544

https://access.redhat.com/errata/RHSA-2026:24542

https://access.redhat.com/errata/RHSA-2026:24541

https://access.redhat.com/errata/RHSA-2026:24540

https://access.redhat.com/errata/RHSA-2026:24483

https://access.redhat.com/errata/RHSA-2026:24476

https://access.redhat.com/errata/RHSA-2026:24374

https://access.redhat.com/errata/RHSA-2026:24069

https://access.redhat.com/errata/RHSA-2026:24014

https://access.redhat.com/errata/RHSA-2026:24009

https://access.redhat.com/errata/RHSA-2026:24000

https://access.redhat.com/errata/RHSA-2026:23992

https://access.redhat.com/errata/RHSA-2026:22934

https://access.redhat.com/errata/RHSA-2026:20338

https://access.redhat.com/errata/RHSA-2026:15862

Details

Source: Mitre, NVD

Published: 2026-05-13

Updated: 2026-07-13

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 8.9

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Severity: High

EPSS

EPSS: 0.00042