UBUNTU-CVE-2026-44432

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-44432

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-44432

Upstream

CVE-2026-44432

Published

2026-05-13T16:16:00Z

Modified

2026-05-22T22:15:06.027701868Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

References

Affected packages

Ubuntu:22.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

21.*

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.0.2+dfsg-1ubuntu0.1

22.0.2+dfsg-1ubuntu0.2

22.0.2+dfsg-1ubuntu0.3

22.0.2+dfsg-1ubuntu0.4

22.0.2+dfsg-1ubuntu0.5

22.0.2+dfsg-1ubuntu0.6

22.0.2+dfsg-1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "22.0.2+dfsg-1ubuntu0.7"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:24.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.2+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-1ubuntu1

24.0+dfsg-1ubuntu1.1

24.0+dfsg-1ubuntu1.2

24.0+dfsg-1ubuntu1.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "24.0+dfsg-1ubuntu1.3"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "24.0+dfsg-1ubuntu1.3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:25.10

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.0+dfsg-1

25.1.1+dfsg-1

25.1.1+dfsg-1ubuntu1

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:26.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-pip",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        },
        {
            "binary_name": "python3-pip-whl",
            "binary_version": "25.1.1+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.0-3

2.5.0-1

2.5.0-1ubuntu1

2.5.0-1ubuntu2

2.6.3-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "2.6.3-1ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:Pro:14.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "1.5.4-1ubuntu4+esm5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6-2

1.7.1-1

1.7.1-1build1

1.7.1-1ubuntu0.1

1.7.1-1ubuntu3

1.7.1-1ubuntu4

1.7.1-1ubuntu4.1

1.7.1-1ubuntu4.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        },
        {
            "binary_name": "python-urllib3-whl",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.7.1-1ubuntu4.1+esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:Pro:16.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11-1

1.12-1

1.13.1-1

1.13.1-2

1.13.1-2ubuntu0.16.04.1

1.13.1-2ubuntu0.16.04.2

1.13.1-2ubuntu0.16.04.3

1.13.1-2ubuntu0.16.04.4

1.13.1-2ubuntu0.16.04.4+esm1

1.13.1-2ubuntu0.16.04.4+esm2

1.13.1-2ubuntu0.16.04.4+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

8.1.1-2ubuntu0.6+esm11

8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "8.1.1-2ubuntu0.6+esm12"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:Pro:18.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.21.1-1

1.22-1

1.22-1ubuntu0.18.04.1

1.22-1ubuntu0.18.04.2

1.22-1ubuntu0.18.04.2+esm1

1.22-1ubuntu0.18.04.2+esm2

1.22-1ubuntu0.18.04.2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-urllib3",
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3"
        },
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

9.0.1-2.3~ubuntu1.18.04.8+esm7

9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python-pip-whl",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

Ubuntu:Pro:20.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.24.1-1ubuntu1

1.24.1-1ubuntu2

1.25.8-1

1.25.8-2

1.25.8-2ubuntu0.1

1.25.8-2ubuntu0.2

1.25.8-2ubuntu0.3

1.25.8-2ubuntu0.4

1.25.8-2ubuntu0.4+esm1

1.25.8-2ubuntu0.4+esm2

1.25.8-2ubuntu0.4+esm3

1.25.8-2ubuntu0.4+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-urllib3",
            "binary_version": "1.25.8-2ubuntu0.4+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.10+esm2

20.0.2-5ubuntu1.11

20.0.2-5ubuntu1.11+esm2

20.0.2-5ubuntu1.11+esm3

20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-pip-whl",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        },
        {
            "binary_name": "python3-pip",
            "binary_version": "20.0.2-5ubuntu1.11+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44432.json"