CVE-2026-9375

Publication date 19 June 2026

Last updated 7 July 2026


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-urllib3 26.04 LTS resolute
Vulnerable, fix deferred
25.10 questing
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
16.04 LTS xenial
Vulnerable, fix deferred
14.04 LTS trusty
Vulnerable, fix deferred
python-pip 26.04 LTS resolute
Vulnerable, fix deferred
25.10 questing
Vulnerable, fix deferred
24.04 LTS noble
Vulnerable, fix deferred
22.04 LTS jammy
Vulnerable, fix deferred
20.04 LTS focal
Vulnerable, fix deferred
18.04 LTS bionic
Vulnerable, fix deferred
14.04 LTS trusty
Vulnerable, fix deferred

Notes


mdeslaur

On focal and earlier, the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required. On jammy and later, python-urllib3 is bundled in the python-pip package and needs to be patched. While the NVD entry references the 2bdcc44d commit that fixed CVE-2026-44432, it doesn't appear that that would fix the issues described in this CVE. The commit id is probably wrong. No details about this issue or a fix for it as of 2026-07-07, marking as deferred for now.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
python-urllib3

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.5 · High

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Access our resources on patching vulnerabilities