SB2026012604 - Red Hat Enterprise Linux 9 update for python3.12-urllib3 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012604

SB2026012604 - Red Hat Enterprise Linux 9 update for python3.12-urllib3

Published: January 26, 2026

Security Bulletin ID SB2026012604
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition. 


2) Resource exhaustion (CVE-ID: CVE-2025-66471)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Improper handling of highly compressed data (CVE-ID: CVE-2026-21441)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the application does not properly handle highly compressed data when sending HTTP redirect responses. A remote attacker can multiple large requests to the application, consume all available CPU and memory resources and perform a denial of service attack.


Remediation

Install update from vendor's website.

References