CVE-2026-44432 Overview
CVE-2026-44432 is a resource exhaustion vulnerability in the urllib3 HTTP client library for Python. The flaw affects versions from 2.6.0 up to but not including 2.7.0. Under specific conditions, urllib3 decompresses an entire HTTP response instead of the requested byte range. Attackers can deliver a small amount of highly compressed data that expands into massive memory allocations and CPU usage on the client. The issue manifests in two scenarios: the second HTTPResponse.read(amt=N) call when Brotli decompression is in use, and any call to HTTPResponse.drain_conn() after a partial read. The vulnerability is tracked as [CWE-409] (Improper Handling of Highly Compressed Data) and is fixed in urllib3 2.7.0.
Critical Impact
A malicious or compromised HTTP server can cause Python clients using vulnerable urllib3 versions to exhaust CPU and memory through compression bomb responses.
Affected Products
- Python urllib3 2.6.0
- Python urllib3 releases up to and including 2.6.x
- Applications and libraries depending on vulnerable urllib3 versions (including requests consumers)
Discovery Timeline
- 2026-05-13 - CVE-2026-44432 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44432
Vulnerability Analysis
The vulnerability is a decompression bomb condition (decompression amplification). urllib3 exposes a streaming read API where callers request a bounded number of bytes via HTTPResponse.read(amt=N). The expectation is that decompression honors the same boundary, returning at most a controlled amount of decoded data per call. In the affected code paths, that boundary is not enforced. Servers can return responses encoded with Brotli or another supported algorithm where a few kilobytes of ciphertext expand into gigabytes of plaintext. The client allocates buffers to hold the fully decoded payload in a single operation, driving memory pressure and CPU saturation.
Root Cause
The defect lies in how urllib3 handles incremental decompression state across read() invocations. The first call to HTTPResponse.read(amt=N) returns the expected N bytes. The second call, when the backing decoder is the official Brotli library, drains the remaining compressed stream and decompresses it entirely rather than honoring the amt parameter. A parallel defect exists in HTTPResponse.drain_conn(), which is intended to discard residual bytes on the wire to permit connection reuse. When invoked after a partial read of a compressed response, drain_conn() routes leftover data through the decompressor regardless of algorithm, materializing the full decoded body.
Attack Vector
The attack requires no authentication and is exploitable over the network. An attacker controls or compromises an HTTP server that a Python client contacts. The server returns a Content-Encoding: br (or other supported encoding) response with a crafted compression ratio. When the client uses streaming reads with size limits as a defensive measure, the second read or a subsequent drain_conn() defeats that limit and forces full decompression. The vulnerability undermines defensive coding patterns that explicitly cap response sizes.
No public exploit code or proof-of-concept is currently available. See the GitHub Security Advisory GHSA-mf9v-mfxr-j63j for technical details.
Detection Methods for CVE-2026-44432
Indicators of Compromise
- Python processes consuming abnormal amounts of memory or CPU shortly after issuing outbound HTTPS requests
- Outbound HTTP responses with Content-Encoding: br and unusually low Content-Length relative to client memory growth
- MemoryError exceptions or OOM-killer events in application logs tied to urllib3 or requests call stacks
Detection Strategies
- Inventory Python environments and identify installations of urllib3 versions 2.6.0 through 2.6.x using pip list or software bill of materials (SBOM) tooling
- Inspect dependency manifests (requirements.txt, Pipfile.lock, poetry.lock) for direct or transitive pins on vulnerable urllib3 ranges
- Add runtime telemetry around HTTPResponse.read() and HTTPResponse.drain_conn() call sites to capture decoded payload sizes
Monitoring Recommendations
- Alert on Python worker processes whose resident set size grows beyond expected thresholds during outbound HTTP activity
- Monitor for repeated OOM terminations of services that perform outbound HTTP requests
- Correlate egress traffic to untrusted hosts with abnormal post-request memory allocation patterns
How to Mitigate CVE-2026-44432
Immediate Actions Required
- Upgrade urllib3 to version 2.7.0 or later in all Python environments
- Rebuild and redeploy container images and virtual environments that bundle urllib3 as a direct or transitive dependency
- Audit applications that fetch responses from untrusted servers and treat them as exposure-priority targets for patching
Patch Information
The maintainers fixed the issue in urllib3 2.7.0. The fix restores the amt boundary across successive read() calls when Brotli is used and prevents drain_conn() from feeding residual bytes into the decompressor. Refer to the urllib3 security advisory GHSA-mf9v-mfxr-j63j for the full patch reference.
Workarounds
- Disable Brotli decoding by uninstalling the brotli and brotlicffi packages where business logic does not require it
- Avoid calling HTTPResponse.drain_conn() on responses that have been partially read with decompression enabled; close the connection instead
- Restrict outbound HTTP traffic to trusted destinations through egress proxies or allowlists until patches are deployed
# Upgrade urllib3 to the patched release
pip install --upgrade 'urllib3>=2.7.0'
# Verify the installed version
python -c "import urllib3; print(urllib3.__version__)"
# Optional: remove Brotli support as a temporary mitigation
pip uninstall -y brotli brotlicffi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
