RHSA-2026:6287

Vulnerability from csaf_redhat - Published: 2026-03-31 16:45 - Updated: 2026-04-03 17:10
Summary
Red Hat Security Advisory: General availability of the satellite/iop-advisor-frontend-rhel9 container image
Severity
Important
Notes
Topic: A new satellite/iop-advisor-frontend-rhel9 container image is now generally available in the Red Hat container registry.
Details: Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Red Hat Lightspeed in Satellite locally, you can generate Red Hat Lightspeed recommendations without sending system data to Red Hat services.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Vendor Fix For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation. https://access.redhat.com/errata/RHSA-2026:6287
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A new satellite/iop-advisor-frontend-rhel9 container image is now generally available in the Red Hat container registry.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Lightspeed in Satellite analyzes system health and configuration by applying  predefined rules to a small set of local data, such as installed packages,  running services, and configuration settings.  When you install Red Hat Lightspeed in Satellite locally,  you can generate Red Hat Lightspeed recommendations without  sending system data to Red Hat services. ",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:6287",
        "url": "https://access.redhat.com/errata/RHSA-2026:6287"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/software/containers/search",
        "url": "https://catalog.redhat.com/software/containers/search"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite",
        "url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite",
        "url": "https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-21441",
        "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6287.json"
      }
    ],
    "title": "Red Hat Security Advisory: General availability of the satellite/iop-advisor-frontend-rhel9 container image",
    "tracking": {
      "current_release_date": "2026-04-03T17:10:19+00:00",
      "generator": {
        "date": "2026-04-03T17:10:19+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.4"
        }
      },
      "id": "RHSA-2026:6287",
      "initial_release_date": "2026-03-31T16:45:05+00:00",
      "revision_history": [
        {
          "date": "2026-03-31T16:45:05+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-31T16:45:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-03T17:10:19+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Satellite 6.18",
                "product": {
                  "name": "Red Hat Satellite 6.18",
                  "product_id": "Red Hat Satellite 6.18",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:satellite:6.18::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Satellite"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64",
                "product": {
                  "name": "registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64",
                  "product_id": "registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/iop-advisor-frontend-rhel9@sha256%3Ab16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d?arch=amd64\u0026repository_url=registry.redhat.io/satellite\u0026tag=1772205903"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64 as a component of Red Hat Satellite 6.18",
          "product_id": "Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64"
        },
        "product_reference": "registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64",
        "relates_to_product_reference": "Red Hat Satellite 6.18"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21441",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2026-01-07T23:01:59.422078+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2427726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "RHBZ#2427726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-21441",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b",
          "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"
        }
      ],
      "release_date": "2026-01-07T22:09:01.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-31T16:45:05+00:00",
          "details": "For Red Hat Lightspeed in Satellite installation see the Red Hat Satellite documentation.",
          "product_ids": [
            "Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6287"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Satellite 6.18:registry.redhat.io/satellite/iop-advisor-frontend-rhel9@sha256:b16098ff4d22e3fc7cad21e8fe6988c8f38ef080e04df342deb1e2896b538f5d_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.