CVE-2026-9375

Name	CVE-2026-9375
Description	urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1140427

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-urllib3 (PTS)	bullseye	1.26.5-1~exp1	vulnerable
	bullseye (security)	1.26.5-1~exp1+deb11u3	vulnerable
	bookworm, bookworm (security)	1.26.12-1+deb12u3	vulnerable
	trixie (security), trixie	2.3.0-3+deb13u1	vulnerable
	forky, sid	2.6.3-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-urllib3	source	(unstable)	(unfixed)			1140427

Notes

[trixie] - python-urllib3 <ignored> (Intrusive to backport; requires update for src:brotli for effective fix)
Fixed by: https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb5cc48a8662425e35e15adfe6a (2.7.0)
Relates to the fix for CVE-2025-66471.