Threats Tagged 'cve-2026-21441'

Multiple vulnerabilities have been identified in the python-urllib3 package used in Red Hat Enterprise Linux 10. These include an unbounded decompression chain leading to resource exhaustion (CVE-2025-66418), improper handling of highly compressed data in the streaming API (CVE-2025-66471), and a decompression-bomb safeguard bypass when following HTTP redirects in the streaming API (CVE-2026-21441). Red Hat has issued an important security advisory with updated packages addressing these issues. The vulnerabilities could potentially lead to resource exhaustion or bypass of decompression safeguards. A security update is available and should be applied to affected systems to remediate these issues.

This advisory addresses security vulnerabilities in the fence-agents packages used in Red Hat Enterprise Linux 9. These packages manage remote power control for cluster devices, enabling forced restart and removal of failed or unreachable nodes. The update fixes three urllib3-related vulnerabilities involving unbounded decompression chains and improper handling of highly compressed data, which could lead to resource exhaustion or bypass decompression-bomb safeguards. The vendor rates the update as important and has released patches for affected Red Hat Enterprise Linux 9 variants. No known exploits are reported in the wild at this time.

Multiple vulnerabilities affecting the fence-agents packages in Red Hat Enterprise Linux 8 have been addressed. These vulnerabilities relate to the urllib3 library used by fence-agents, including unbounded decompression chains leading to resource exhaustion (CVE-2025-66418), improper handling of highly compressed data in the streaming API (CVE-2025-66471), and a decompression-bomb safeguard bypass when following HTTP redirects (CVE-2026-21441). The fence-agents packages are used for remote power management in cluster environments, enabling forced restart and removal of failed or unreachable nodes. Red Hat has released an important security update to fix these issues. The advisory does not indicate any known exploits in the wild. No CVSS scores are provided, but the vendor rates the update as important, and the overall severity is high.

This advisory addresses multiple security vulnerabilities in the urllib3 library used by the resource-agents packages in Red Hat Enterprise Linux 8 High Availability and Resilient Storage environments. The vulnerabilities include unbounded decompression chains leading to resource exhaustion (CVE-2025-66418), improper handling of highly compressed data in the streaming API (CVE-2025-66471), and a decompression-bomb safeguard bypass when following HTTP redirects (CVE-2026-21441). These issues could impact the stability and reliability of high-availability service managers that rely on these scripts. Red Hat has released an important security update to fix these issues. Users of affected Red Hat Enterprise Linux 8 variants should apply the update as per the vendor guidance.

This advisory addresses multiple security vulnerabilities in the python3. 12-urllib3 package for Red Hat Enterprise Linux 9. 6 Extended Update Support. The issues include an unbounded decompression chain leading to resource exhaustion (CVE-2025-66418), improper handling of highly compressed data in the streaming API (CVE-2025-66471), and a decompression-bomb safeguard bypass when following HTTP redirects in the streaming API (CVE-2026-21441). These vulnerabilities could allow resource exhaustion or bypass of decompression safeguards. Red Hat has released updated python3. 12-urllib3 packages that fix these issues. The advisory rates the security impact as Important (high severity).

Multiple security vulnerabilities have been identified in the python-urllib3 package used in Red Hat Enterprise Linux 9. 6 Extended Update Support. These include an unbounded decompression chain leading to resource exhaustion (CVE-2025-66418), improper handling of highly compressed data in the streaming API (CVE-2025-66471), and a decompression-bomb safeguard bypass when following HTTP redirects in the streaming API (CVE-2026-21441). Red Hat has issued an important security advisory (RHSA-2026:1729) addressing these issues with updated python-urllib3 packages. The vulnerabilities relate to resource exhaustion and potential denial-of-service conditions. Updated packages are available for multiple Red Hat Enterprise Linux 9. 6 variants and architectures. Users are advised to apply the provided updates to remediate these vulnerabilities.

This security advisory addresses vulnerabilities in the fence-agents packages used by Red Hat Enterprise Linux 9. 0 and related products. The fence-agents provide scripts for remote power management in cluster environments, enabling forced restart and removal of failed or unreachable nodes. The update fixes two vulnerabilities in the urllib3 library's streaming API: improper handling of highly compressed data (CVE-2025-66471) and a decompression-bomb safeguard bypass when following HTTP redirects (CVE-2026-21441). These issues could potentially affect the reliability and security of cluster node management. Red Hat has released updated fence-agents packages to remediate these vulnerabilities. No known exploits in the wild have been reported. Users should apply the provided updates to mitigate the risks.

Red Hat has issued a security advisory for the fence-agents packages used in Red Hat Enterprise Linux 8. 8 variants. The update addresses two vulnerabilities in the urllib3 library's streaming API: CVE-2025-66471, which improperly handles highly compressed data, and CVE-2026-21441, which allows bypassing decompression-bomb safeguards when following HTTP redirects. These vulnerabilities could impact the remote power management scripts used for cluster device handling. The advisory rates the security impact as Important (high severity). A fix is available via updated fence-agents packages as detailed in the Red Hat advisory.

The Red Hat Trusted Artifact Signer (RHTAS) Operator, compatible with OpenShift Container Platform versions 4. 16 through 4. 20, has associated vulnerabilities identified by CVE-2025-66418 and related CVEs. These vulnerabilities are categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-409 (Improper Synchronization), indicating potential issues with resource management and concurrency. The advisory does not provide details on exploitation or fixes. No patches or official fixes are currently available as per the vendor advisory. The vulnerabilities affect on-premise deployments of RHTAS, a tool used to cryptographically sign and verify software artifacts to ensure supply chain integrity. No known exploits are reported in the wild at this time.

Red Hat Satellite 6. 17. 6. 3 addresses multiple vulnerabilities in the python-urllib3 library related to improper handling of highly compressed data and decompression-bomb safeguard bypasses. These issues can lead to unbounded decompression chains causing resource exhaustion. The update also fixes a bug affecting upgrades from Satellite 6. 17. 5 to 6. 18 related to Pulpcore database migration. The vulnerabilities are rated as high severity by Red Hat.