Intel

AIKIDO-2026-10809

urllib3-future is vulnerable to Decompression Bomb

Decompression BombCVE-2026-44432 Published May 14, 2026

89

High Risk

This Affects:

PYTHONurllib3-future
2.15.900 - 2.19.913
Fixed in 2.20.900
Are you affected? Scan for Free

TL;DR

Affected versions of urllib3-future may fully decompress specially crafted compressed HTTP responses during streaming operations, leading to excessive CPU and memory consumption on the client side and potentially causing denial of service conditions.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

urllib3-future is vulnerable to Decompression Bomb in versions 2.15.900 - 2.19.913.

How to fix this

Upgrade the urllib3-future library to the patch version. If upgrading is not possible, use brotlicffi instead of the official Brotli library and replace HTTPResponse.drain_conn() calls with HTTPResponse.close() where connection reuse is not required.

Links

Other

access.redhat.com/errata/RHSA-2026:15862
https://access.redhat.com/errata/RHSA-2026:15862
access.redhat.com/errata/RHSA-2026:20338
https://access.redhat.com/errata/RHSA-2026:20338
access.redhat.com/errata/RHSA-2026:22934
https://access.redhat.com/errata/RHSA-2026:22934
access.redhat.com/errata/RHSA-2026:24000
https://access.redhat.com/errata/RHSA-2026:24000
access.redhat.com/errata/RHSA-2026:24009
https://access.redhat.com/errata/RHSA-2026:24009
access.redhat.com/errata/RHSA-2026:24014
https://access.redhat.com/errata/RHSA-2026:24014
access.redhat.com/errata/RHSA-2026:24069
https://access.redhat.com/errata/RHSA-2026:24069
access.redhat.com/errata/RHSA-2026:24374
https://access.redhat.com/errata/RHSA-2026:24374
access.redhat.com/errata/RHSA-2026:24476
https://access.redhat.com/errata/RHSA-2026:24476
access.redhat.com/errata/RHSA-2026:24483
https://access.redhat.com/errata/RHSA-2026:24483
access.redhat.com/errata/RHSA-2026:24540
https://access.redhat.com/errata/RHSA-2026:24540
access.redhat.com/errata/RHSA-2026:24541
https://access.redhat.com/errata/RHSA-2026:24541
access.redhat.com/errata/RHSA-2026:24542
https://access.redhat.com/errata/RHSA-2026:24542
access.redhat.com/errata/RHSA-2026:24544
https://access.redhat.com/errata/RHSA-2026:24544
access.redhat.com/errata/RHSA-2026:25039
https://access.redhat.com/errata/RHSA-2026:25039
access.redhat.com/errata/RHSA-2026:25143
https://access.redhat.com/errata/RHSA-2026:25143
access.redhat.com/errata/RHSA-2026:25928
https://access.redhat.com/errata/RHSA-2026:25928
access.redhat.com/errata/RHSA-2026:26212
https://access.redhat.com/errata/RHSA-2026:26212
access.redhat.com/errata/RHSA-2026:26304
https://access.redhat.com/errata/RHSA-2026:26304
access.redhat.com/errata/RHSA-2026:27929
https://access.redhat.com/errata/RHSA-2026:27929
access.redhat.com/errata/RHSA-2026:28000
https://access.redhat.com/errata/RHSA-2026:28000
access.redhat.com/errata/RHSA-2026:28157
https://access.redhat.com/errata/RHSA-2026:28157
access.redhat.com/errata/RHSA-2026:28158
https://access.redhat.com/errata/RHSA-2026:28158
access.redhat.com/errata/RHSA-2026:28159
https://access.redhat.com/errata/RHSA-2026:28159
access.redhat.com/errata/RHSA-2026:28571
https://access.redhat.com/errata/RHSA-2026:28571
access.redhat.com/errata/RHSA-2026:30076
https://access.redhat.com/errata/RHSA-2026:30076
access.redhat.com/errata/RHSA-2026:30078
https://access.redhat.com/errata/RHSA-2026:30078
access.redhat.com/errata/RHSA-2026:30087
https://access.redhat.com/errata/RHSA-2026:30087
access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30088
access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30089
access.redhat.com/errata/RHSA-2026:32992
https://access.redhat.com/errata/RHSA-2026:32992
access.redhat.com/errata/RHSA-2026:33313
https://access.redhat.com/errata/RHSA-2026:33313
access.redhat.com/errata/RHSA-2026:33683
https://access.redhat.com/errata/RHSA-2026:33683
access.redhat.com/errata/RHSA-2026:34160
https://access.redhat.com/errata/RHSA-2026:34160
access.redhat.com/errata/RHSA-2026:34374
https://access.redhat.com/errata/RHSA-2026:34374
access.redhat.com/errata/RHSA-2026:34526
https://access.redhat.com/errata/RHSA-2026:34526
access.redhat.com/errata/RHSA-2026:34531
https://access.redhat.com/errata/RHSA-2026:34531
access.redhat.com/errata/RHSA-2026:34533
https://access.redhat.com/errata/RHSA-2026:34533
access.redhat.com/errata/RHSA-2026:34607
https://access.redhat.com/errata/RHSA-2026:34607
access.redhat.com/errata/RHSA-2026:36350
https://access.redhat.com/errata/RHSA-2026:36350
access.redhat.com/errata/RHSA-2026:37275
https://access.redhat.com/errata/RHSA-2026:37275
access.redhat.com/errata/RHSA-2026:7625
https://access.redhat.com/errata/RHSA-2026:7625
access.redhat.com/errata/RHSA-2026:7634
https://access.redhat.com/errata/RHSA-2026:7634
access.redhat.com/security/cve/CVE-2026-44432
https://access.redhat.com/security/cve/CVE-2026-44432
bugzilla.redhat.com/show_bug.cgi?id=2477154
https://bugzilla.redhat.com/show_bug.cgi?id=2477154
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44432.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44432.json