urllib3 2.6.0-<2.7.0 Decompress Whole Response DoS via Brotli
CVE-2026-44432 Published on May 13, 2026

urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

NVD

Vulnerability Analysis

CVE-2026-44432 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Data Amplification Vulnerability?

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

CVE-2026-44432 has been classified to as a Data Amplification vulnerability or weakness.


Products Associated with CVE-2026-44432

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)
 
Red Hat Ai Inference Server
 
Red Hat Ansible Automation Platform
 
Red Hat Discovery
 
Red Hat Hummingbird
 
Red Hat Quay
 
Red Hat Satellite
 
Red Hat Trusted Artifact Signer
 
Red Hat Migration Toolkit Applications
 
Red Hat Openshift Lightspeed
 
Red Hat Pdrive Lightspeed
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Stf
 
Red Hat Exploit Intelligence
 
Red Hat External Secrets Operator
 
Red Hat Rhmt
 
Red Hat Migration Toolkit Virtualization
 
Red Hat Service Mesh
 
Red Hat Quarkus
 
Red Hat Rhdh
 
Red Hat Enterprise Linux Ai
 
Red Hat Container Native Virtualization
 
Red Hat Openstack
 
Red Hat Rhui
 

Affected Versions

urllib3: Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream (v. 8): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Enterprise Linux BaseOS (v. 10): Red Hat Enterprise Linux BaseOS (v. 9): Red Hat AI Inference Server 3.3: Red Hat AI Inference Server 3.4: Red Hat Ansible Automation Platform 2.7: Red Hat Discovery 2: Red Hat Hardened Images: Red Hat Quay 3.12: Red Hat Quay 3.9: Red Hat Satellite 6.18: Red Hat Trusted Artifact Signer 1.3: Red Hat Trusted Artifact Signer 1.4: Red Hat Migration Toolkit for Applications 8: Red Hat OpenShift Lightspeed: Pen Drive Powered by Red Hat Lightspeed: Red Hat AI Inference Server: Red Hat Ansible Automation Platform 2: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Quay 3: Red Hat Satellite 6: Red Hat Service Telemetry Framework 1.5: Red Hat Exploit Intelligence: External Secrets Operator for Red Hat OpenShift: Red Hat Migration Toolkit for Containers: Red Hat Migration Toolkit for Virtualization: Red Hat OpenShift Service Mesh 3: Red Hat build of Quarkus Native builder: Red Hat Developer Hub: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift Virtualization 4: Red Hat OpenStack Platform 17.1: Red Hat Update Infrastructure 4 for Cloud Providers:

Exploit Probability

EPSS
0.37%
Percentile
28.39%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.