USN-7927-3 Unknown

USN-7927-3: urllib3 regression

Canonical (Ubuntu) Released: January 13, 2026 Updated: January 15, 2026 Restart Required

Description

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in urllib3 when decompressing zstd data. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. (CVE-2025-66418) Rui Xi discovered that urllib3 incorrectly handled highly compressed data. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-66471) For the brotli encoding, the fix for CVE-2025-66471 requires an additional security update in the brotli package.

Fixed Vulnerabilities 1

CVE-2025-66471 N/A 0.0 ⚠️ KEV fixed

Dec 05, 2025

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data.…

Quick Info

Patch ID: USN-7927-3

Vendor: Canonical (Ubuntu)

Severity: Unknown

CVEs Fixed: 1

Restart: Required

Vendor

Canonical (Ubuntu)

Additional Info

action:

usn id: USN-7927-3

summary: USN-7927-1 introduced a regression in urllib3

usn number: 7927-3

instructions: In general, a standard system update will make all the necessary changes.

CVE Vulnerabilities

Posts & Pages