2427726 – (CVE-2026-21441) CVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

Bug 2427726 (CVE-2026-21441) - CVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

Summary: CVE-2026-21441 urllib3: urllib3 vulnerable to decompression-bomb safeguard by...

Keywords:
Status:	NEW
Alias:	CVE-2026-21441
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2428642 2428643 2428644 2428645 2428646 2428647 2428648 2428649 2428650 2428651 2428730 2428731
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-07 23:02 UTC by OSIDB Bzimport
Modified:	2026-01-12 18:59 UTC (History)
CC List:	161 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-07 23:02:25 UTC

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adinn
adistefa
adudiak
alcohan
alinfoot
alizardo
amctagga
anjoseph
anpicker
anthomas
aoconnor
aprice
bbrownin
bdettelb
bniver
bparees
brasmith
carogers
caswilli
cochase
crizzo
dfreiber
dhanak
dnakabaa
doconnor
dranck
drosa
drow
dsimansk
dtrifiro
dymurray
eglynn
ehelms
erezende
flucifre
fzakkak
galder.zamarreno
ggainey
gmeno
gparvin
groman
gtanzill
haoli
hasun
hkataria
ibolton
jajackso
jbalunas
jburrell
jbuscemi
jcammara
jcantril
jchui
jdobes
jfula
jhe
jjoyce
jkoehler
jmatthew
jmitchel
jmontleo
jneedle
joehler
jowilson
jprabhak
jsamir
jschluet
juwatts
jwong
kaycoth
kegrant
kgaikwad
kingland
koliveir
kshier
ktsao
kverlaen
lball
lchilton
lcouzens
lgamliel
lhh
ljawale
lphiri
luizcosta
mabashia
manissin
matzew
mbabacek
mbenjamin
mburns
mgarciac
mhackett
mhayden
mhulan
mnovotny
mrunge
mskarbek
nboldt
ngough
nmoumoul
nweather
nyancey
oezr
olubyans
omaciel
ometelka
orabin
osousa
owatkins
pahickey
pakotvan
pbohmill
pbraun
pcreech
pgaikwad
pjindal
psrna
ptisnovs
rbobbitt
rbryant
rchan
rfreiman
rhaigner
rjohnson
rojacob
sausingh
sbiarozk
sdawley
sdoran
sfeifer
sgehwolf
shvarugh
simaishi
slucidi
smallamp
smcdonal
sostapov
sseago
stcannon
sthirugn
syedriko
teagle
tfister
thavo
tmalecek
tqvarnst
ttakamiy
vereddy
veshanka
vimartin
vkumar
weaton
whayutin
wtam
xdharmai
xiaoxwan
yguenane
zdohnal
zzhou