UBUNTU-CVE-2026-9375

Source
https://ubuntu.com/security/CVE-2026-9375
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-9375
Upstream
Published
2026-06-19T19:16:00Z
Modified
2026-07-07T21:01:23.617579814Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (preload_content=False) when using Brotli support. The issue arises due to three independent code paths in response.py that bypass the max_length protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative max_length values can be produced due to buffer arithmetic in read(), flush_decoder unconditionally overrides max_length to -1, and _flush_decoder() passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using requests or urllib3 to stream content from untrusted sources.

References

Affected packages

Ubuntu:22.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.26.5-1~exp1
1.26.5-1~exp1ubuntu0.1
1.26.5-1~exp1ubuntu0.2
1.26.5-1~exp1ubuntu0.3
1.26.5-1~exp1ubuntu0.4
1.26.5-1~exp1ubuntu0.5
1.26.5-1~exp1ubuntu0.6
1.26.5-1~exp1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.26.5-1~exp1ubuntu0.7"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:24.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.26.16-1
1.26.18-1
2.*
2.0.7-1
2.0.7-1ubuntu0.1
2.0.7-1ubuntu0.2
2.0.7-1ubuntu0.3
2.0.7-1ubuntu0.4
2.0.7-1ubuntu0.5
2.0.7-1ubuntu0.6
2.0.7-1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "2.0.7-1ubuntu0.7"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:25.10
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

25.*
25.0+dfsg-1
25.1.1+dfsg-1
25.1.1+dfsg-1ubuntu1
25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.0-2
2.3.0-2ubuntu1
2.3.0-3
2.3.0-3ubuntu0.1
2.3.0-3ubuntu0.2
2.3.0-3ubuntu0.3
2.3.0-3ubuntu0.4
2.3.0-3ubuntu0.6

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "2.3.0-3ubuntu0.6"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:26.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.0-3
2.5.0-1
2.5.0-1ubuntu1
2.5.0-1ubuntu2
2.6.3-1ubuntu1
2.6.3-1ubuntu1.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "2.6.3-1ubuntu1.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:14.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.4.1-2
1.5.4-1
1.5.4-1ubuntu1
1.5.4-1ubuntu3
1.5.4-1ubuntu4
1.5.4-1ubuntu4+esm1
1.5.4-1ubuntu4+esm2
1.5.4-1ubuntu4+esm3
1.5.4-1ubuntu4+esm4
1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6-2
1.7.1-1
1.7.1-1build1
1.7.1-1ubuntu0.1
1.7.1-1ubuntu3
1.7.1-1ubuntu4
1.7.1-1ubuntu4.1
1.7.1-1ubuntu4.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        },
        {
            "binary_name": "python-urllib3-whl",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:16.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.11-1
1.12-1
1.13.1-1
1.13.1-2
1.13.1-2ubuntu0.16.04.1
1.13.1-2ubuntu0.16.04.2
1.13.1-2ubuntu0.16.04.3
1.13.1-2ubuntu0.16.04.4
1.13.1-2ubuntu0.16.04.4+esm1
1.13.1-2ubuntu0.16.04.4+esm2
1.13.1-2ubuntu0.16.04.4+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.6-7ubuntu1
1.5.6-7ubuntu2
8.*
8.0.2-7
8.0.3-1
8.0.3-2
8.1.0-1
8.1.0-2
8.1.1-1
8.1.1-2
8.1.1-2ubuntu0.1
8.1.1-2ubuntu0.2
8.1.1-2ubuntu0.4
8.1.1-2ubuntu0.6
8.1.1-2ubuntu0.6+esm2
8.1.1-2ubuntu0.6+esm3
8.1.1-2ubuntu0.6+esm4
8.1.1-2ubuntu0.6+esm5
8.1.1-2ubuntu0.6+esm6
8.1.1-2ubuntu0.6+esm8
8.1.1-2ubuntu0.6+esm10
8.1.1-2ubuntu0.6+esm11
8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:18.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.21.1-1
1.22-1
1.22-1ubuntu0.18.04.1
1.22-1ubuntu0.18.04.2
1.22-1ubuntu0.18.04.2+esm1
1.22-1ubuntu0.18.04.2+esm2
1.22-1ubuntu0.18.04.2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.0.1-2
9.0.1-2.3~ubuntu1
9.0.1-2.3~ubuntu1.18.04.1
9.0.1-2.3~ubuntu1.18.04.2
9.0.1-2.3~ubuntu1.18.04.3
9.0.1-2.3~ubuntu1.18.04.4
9.0.1-2.3~ubuntu1.18.04.5
9.0.1-2.3~ubuntu1.18.04.5+esm2
9.0.1-2.3~ubuntu1.18.04.5+esm3
9.0.1-2.3~ubuntu1.18.04.6
9.0.1-2.3~ubuntu1.18.04.6+esm1
9.0.1-2.3~ubuntu1.18.04.7
9.0.1-2.3~ubuntu1.18.04.7+esm1
9.0.1-2.3~ubuntu1.18.04.8
9.0.1-2.3~ubuntu1.18.04.8+esm1
9.0.1-2.3~ubuntu1.18.04.8+esm2
9.0.1-2.3~ubuntu1.18.04.8+esm4
9.0.1-2.3~ubuntu1.18.04.8+esm6
9.0.1-2.3~ubuntu1.18.04.8+esm7
9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:20.04:LTS
python-urllib3

Package

Name
python-urllib3
Purl
pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.24.1-1ubuntu1
1.24.1-1ubuntu2
1.25.8-1
1.25.8-2
1.25.8-2ubuntu0.1
1.25.8-2ubuntu0.2
1.25.8-2ubuntu0.3
1.25.8-2ubuntu0.4
1.25.8-2ubuntu0.4+esm1
1.25.8-2ubuntu0.4+esm2
1.25.8-2ubuntu0.4+esm3
1.25.8-2ubuntu0.4+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.25.8-2ubuntu0.4+esm4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*
18.1-5
18.1-5build1
18.1-5ubuntu1
20.*
20.0.2-2
20.0.2-4
20.0.2-5
20.0.2-5ubuntu1
20.0.2-5ubuntu1.1
20.0.2-5ubuntu1.3
20.0.2-5ubuntu1.4
20.0.2-5ubuntu1.5
20.0.2-5ubuntu1.6
20.0.2-5ubuntu1.7
20.0.2-5ubuntu1.8
20.0.2-5ubuntu1.9
20.0.2-5ubuntu1.10
20.0.2-5ubuntu1.10+esm2
20.0.2-5ubuntu1.11
20.0.2-5ubuntu1.11+esm2
20.0.2-5ubuntu1.11+esm3
20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip-whl",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:22.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*
20.3.4-4
21.*
21.3.1+dfsg-3
22.*
22.0.2+dfsg-1
22.0.2+dfsg-1ubuntu0.1
22.0.2+dfsg-1ubuntu0.2
22.0.2+dfsg-1ubuntu0.3
22.0.2+dfsg-1ubuntu0.4
22.0.2+dfsg-1ubuntu0.5
22.0.2+dfsg-1ubuntu0.6
22.0.2+dfsg-1ubuntu0.7
22.0.2+dfsg-1ubuntu0.7+esm1
22.0.2+dfsg-1ubuntu0.7+esm2
22.0.2+dfsg-1ubuntu0.7+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:24.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

23.*
23.2+dfsg-1
23.3+dfsg-1
24.*
24.0+dfsg-1
24.0+dfsg-1ubuntu1
24.0+dfsg-1ubuntu1.1
24.0+dfsg-1ubuntu1.2
24.0+dfsg-1ubuntu1.3
24.0+dfsg-1ubuntu1.3+esm1
24.0+dfsg-1ubuntu1.3+esm2
24.0+dfsg-1ubuntu1.3+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"
Ubuntu:Pro:26.04:LTS
python-pip

Package

Name
python-pip
Purl
pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

25.*
25.1.1+dfsg-1ubuntu2
25.1.1+dfsg-1ubuntu2+esm1
25.1.1+dfsg-1ubuntu2+esm2
25.1.1+dfsg-1ubuntu2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-9375.json"