The fence-agents packages in Red Hat Enterprise Linux 8.4 provide remote power management scripts for cluster nodes. Two security issues in the urllib3 streaming API used by these packages have been identified: CVE-2025-66471 involves improper handling of highly compressed data, and CVE-2026-21441 involves a bypass of the decompression-bomb safeguard when following HTTP redirects. Both vulnerabilities could lead to unexpected behavior or resource exhaustion during data decompression. Red Hat has issued an important security update (RHSA-2026:1803) that addresses these vulnerabilities by updating the fence-agents packages. The advisory covers multiple Red Hat Enterprise Linux 8.4 variants including Advanced Mission Critical Update Support and Extended Update Support. No CVSS scores are provided in the advisory, and no exploits are known in the wild.

The vulnerabilities affect the urllib3 streaming API used by fence-agents, which manage remote power control in cluster environments. Improper handling of compressed data and bypassing decompression safeguards could lead to denial of service or other stability issues in cluster node management. This may impact the ability to reliably fence failed or unreachable nodes, potentially affecting cluster availability and management. However, no known exploits have been reported in the wild, and the severity is rated as Important by Red Hat.

Red Hat has released updated fence-agents packages that fix the identified vulnerabilities. Users of affected Red Hat Enterprise Linux 8.4 variants should apply the security update RHSA-2026:1803 as described in the Red Hat advisory (https://access.redhat.com/articles/11258). Applying this update will remediate the vulnerabilities in urllib3 used by fence-agents. There is no indication that additional mitigations are required beyond applying the official patch.