Bug 2431307

Summary: CVE-2026-21441 python-urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) [fedora-42]
Product: [Fedora] Fedora Reporter: Dhananjay Arunesh <darunesh>
Component: python-urllib3Assignee: Python Maintainers <python-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 42CC: aurelien, code, infra-sig, jeremy, lbalhar, mhroncok, python-maint, python-packagers-sig
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["923f2eaa-6fec-4f4f-b7d5-7a0172549e5d"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2427726    

Description Dhananjay Arunesh 2026-01-20 19:01:18 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Ben Beasley 2026-01-20 21:43:06 UTC 
Per https://www.cve.org/CVERecord?id=CVE-2026-21441, this is fixed in 2.6.3 and later. Fedora 43 has 2.3.0, so it is affected. The fix is compact, but it’s hard to be confident backporting it across several releases, especially considering possible interactions with fixes for CVE-2025-66471. An update may be possible, but includes new nontrivial dependencies. See https://src.fedoraproject.org/rpms/python-urllib3/pull-request/49 for discussion.
Comment 2 Lumír Balhar 2026-02-26 11:22:36 UTC 
I'm afraid we won't be able to fix this before Fedora 42 goes EOL in May.