OESA-2026-2815

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2815
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2815.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2815
Upstream
Published
2026-07-06T06:26:27Z
Modified
2026-07-06T06:45:11.245252119Z
Summary
python-urllib3 security update
Details

HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more.

Security Fix(es):

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (preload_content=False) when using Brotli support. The issue arises due to three independent code paths in response.py that bypass the max_length protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative max_length values can be produced due to buffer arithmetic in read(), flush_decoder unconditionally overrides max_length to -1, and _flush_decoder() passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using requests or urllib3 to stream content from untrusted sources.(CVE-2026-9375)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / python-urllib3

Package

Name
python-urllib3
Purl
pkg:rpm/openEuler/python-urllib3&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.18-9.oe2403sp1

Ecosystem specific

{
    "src": [
        "python-urllib3-1.26.18-9.oe2403sp1.src.rpm"
    ],
    "noarch": [
        "python3-urllib3-1.26.18-9.oe2403sp1.noarch.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2815.json"