PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44432 urllib3 CVE debrief

CVE-2026-44432 is a vulnerability in the urllib3 library for Python, which could lead to excessive resource consumption due to improper decompression of HTTP responses. The vulnerability affects versions from 2.6.0 to before 2.7.0. An attacker could exploit this vulnerability by sending a highly compressed response, causing the client to consume high CPU and allocate a large amount of memory. The issue is fixed in version 2.7.0.

Vendor
urllib3
Product
Unknown
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-07-01
Advisory published
2026-05-13
Advisory updated
2026-07-01

Who should care

Users of the urllib3 library in Python, particularly those using versions between 2.6.0 and 2.7.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.7.0 or applying patches provided by the vendor. Organizations using affected versions should prioritize patching to prevent potential resource exhaustion attacks.

Technical summary

The urllib3 library for Python, versions from 2.6.0 to before 2.7.0, has a vulnerability that allows for improper decompression of HTTP responses. This can occur during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. The vulnerability can lead to excessive resource consumption, including high CPU usage and massive memory allocation for the decompressed data, on the client side. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.9, indicating a high severity.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can lead to resource exhaustion attacks. Updating to version 2.7.0 of the urllib3 library is recommended.

Recommended defensive actions

  • Update to urllib3 version 2.7.0 or later
  • Apply patches provided by the vendor
  • Monitor for and limit highly compressed responses
  • Implement resource limits for HTTP responses
  • Regularly review and update dependencies

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and the affected versions. The vendor advisory on GitHub and Red Hat errata provide mitigation and patch information.

Official resources

This article is AI-assisted and based on the supplied source corpus.