PatchSiren cyber security CVE debrief
CVE-2026-44432 urllib3 CVE debrief
CVE-2026-44432 is a vulnerability in the urllib3 library for Python, which could lead to excessive resource consumption due to improper decompression of HTTP responses. The vulnerability affects versions from 2.6.0 to before 2.7.0. An attacker could exploit this vulnerability by sending a highly compressed response, causing the client to consume high CPU and allocate a large amount of memory. The issue is fixed in version 2.7.0.
- Vendor
- urllib3
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-07-01
Who should care
Users of the urllib3 library in Python, particularly those using versions between 2.6.0 and 2.7.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.7.0 or applying patches provided by the vendor. Organizations using affected versions should prioritize patching to prevent potential resource exhaustion attacks.
Technical summary
The urllib3 library for Python, versions from 2.6.0 to before 2.7.0, has a vulnerability that allows for improper decompression of HTTP responses. This can occur during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. The vulnerability can lead to excessive resource consumption, including high CPU usage and massive memory allocation for the decompressed data, on the client side. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 8.9, indicating a high severity.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can lead to resource exhaustion attacks. Updating to version 2.7.0 of the urllib3 library is recommended.
Recommended defensive actions
- Update to urllib3 version 2.7.0 or later
- Apply patches provided by the vendor
- Monitor for and limit highly compressed responses
- Implement resource limits for HTTP responses
- Regularly review and update dependencies
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its impact, and the affected versions. The vendor advisory on GitHub and Red Hat errata provide mitigation and patch information.
Official resources
-
CVE-2026-44432 CVE record
CVE.org
-
CVE-2026-44432 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.