VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-kjka-a931-uygj

Essentials
Severities (29)
References (108)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-kjka-a931-uygj
Aliases	CVE-2026-21441 GHSA-38jv-5279-wg99
Summary	Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) ### Impact urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. However, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409). ### Affected usages Applications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. ### Remediation Upgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable [redirects](https://urllib3.readthedocs.io/en/2.6.2/user-guide.html#retrying-requests) by setting `redirect=False` for requests to untrusted source.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-409	Improper Handling of Highly Compressed Data (Data Amplification)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-21441.json
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
epss	0.00027	https://api.first.org/data/v1/epss?cve=CVE-2026-21441
cvssv3.1	4.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-38jv-5279-wg99
cvssv3.1	7.5	https://github.com/urllib3/urllib3
cvssv4	8.9	https://github.com/urllib3/urllib3
generic_textual	HIGH	https://github.com/urllib3/urllib3
cvssv3.1	7.5	https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
cvssv4	8.9	https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
generic_textual	HIGH	https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
ssvc	Track	https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
cvssv3.1	7.5	https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
cvssv3.1_qr	HIGH	https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
cvssv4	8.9	https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
generic_textual	HIGH	https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
ssvc	Track	https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html
cvssv4	8.9	https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-21441
cvssv4	8.9	https://nvd.nist.gov/vuln/detail/CVE-2026-21441
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-21441

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-21441.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-21441
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-21441
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/urllib3/urllib3
		https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
		https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
		https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html
		https://nvd.nist.gov/vuln/detail/CVE-2026-21441
1125062		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125062
2427726		https://bugzilla.redhat.com/show_bug.cgi?id=2427726
GHSA-38jv-5279-wg99		https://github.com/advisories/GHSA-38jv-5279-wg99
RHSA-2026:0981		https://access.redhat.com/errata/RHSA-2026:0981
RHSA-2026:0990		https://access.redhat.com/errata/RHSA-2026:0990
RHSA-2026:1038		https://access.redhat.com/errata/RHSA-2026:1038
RHSA-2026:1041		https://access.redhat.com/errata/RHSA-2026:1041
RHSA-2026:1042		https://access.redhat.com/errata/RHSA-2026:1042
RHSA-2026:1086		https://access.redhat.com/errata/RHSA-2026:1086
RHSA-2026:1087		https://access.redhat.com/errata/RHSA-2026:1087
RHSA-2026:1088		https://access.redhat.com/errata/RHSA-2026:1088
RHSA-2026:1089		https://access.redhat.com/errata/RHSA-2026:1089
RHSA-2026:1166		https://access.redhat.com/errata/RHSA-2026:1166
RHSA-2026:1168		https://access.redhat.com/errata/RHSA-2026:1168
RHSA-2026:1176		https://access.redhat.com/errata/RHSA-2026:1176
RHSA-2026:1224		https://access.redhat.com/errata/RHSA-2026:1224
RHSA-2026:1226		https://access.redhat.com/errata/RHSA-2026:1226
RHSA-2026:1239		https://access.redhat.com/errata/RHSA-2026:1239
RHSA-2026:1240		https://access.redhat.com/errata/RHSA-2026:1240
RHSA-2026:1241		https://access.redhat.com/errata/RHSA-2026:1241
RHSA-2026:1254		https://access.redhat.com/errata/RHSA-2026:1254
RHSA-2026:1485		https://access.redhat.com/errata/RHSA-2026:1485
RHSA-2026:1504		https://access.redhat.com/errata/RHSA-2026:1504
RHSA-2026:1546		https://access.redhat.com/errata/RHSA-2026:1546
RHSA-2026:1596		https://access.redhat.com/errata/RHSA-2026:1596
RHSA-2026:1599		https://access.redhat.com/errata/RHSA-2026:1599
RHSA-2026:1609		https://access.redhat.com/errata/RHSA-2026:1609
RHSA-2026:1618		https://access.redhat.com/errata/RHSA-2026:1618
RHSA-2026:1619		https://access.redhat.com/errata/RHSA-2026:1619
RHSA-2026:1652		https://access.redhat.com/errata/RHSA-2026:1652
RHSA-2026:1674		https://access.redhat.com/errata/RHSA-2026:1674
RHSA-2026:1676		https://access.redhat.com/errata/RHSA-2026:1676
RHSA-2026:1693		https://access.redhat.com/errata/RHSA-2026:1693
RHSA-2026:1704		https://access.redhat.com/errata/RHSA-2026:1704
RHSA-2026:1706		https://access.redhat.com/errata/RHSA-2026:1706
RHSA-2026:1712		https://access.redhat.com/errata/RHSA-2026:1712
RHSA-2026:1717		https://access.redhat.com/errata/RHSA-2026:1717
RHSA-2026:1726		https://access.redhat.com/errata/RHSA-2026:1726
RHSA-2026:1729		https://access.redhat.com/errata/RHSA-2026:1729
RHSA-2026:1730		https://access.redhat.com/errata/RHSA-2026:1730
RHSA-2026:1734		https://access.redhat.com/errata/RHSA-2026:1734
RHSA-2026:1735		https://access.redhat.com/errata/RHSA-2026:1735
RHSA-2026:1736		https://access.redhat.com/errata/RHSA-2026:1736
RHSA-2026:1791		https://access.redhat.com/errata/RHSA-2026:1791
RHSA-2026:1792		https://access.redhat.com/errata/RHSA-2026:1792
RHSA-2026:1793		https://access.redhat.com/errata/RHSA-2026:1793
RHSA-2026:1794		https://access.redhat.com/errata/RHSA-2026:1794
RHSA-2026:1803		https://access.redhat.com/errata/RHSA-2026:1803
RHSA-2026:1805		https://access.redhat.com/errata/RHSA-2026:1805
RHSA-2026:1942		https://access.redhat.com/errata/RHSA-2026:1942
RHSA-2026:1957		https://access.redhat.com/errata/RHSA-2026:1957
RHSA-2026:2106		https://access.redhat.com/errata/RHSA-2026:2106
RHSA-2026:2126		https://access.redhat.com/errata/RHSA-2026:2126
RHSA-2026:2137		https://access.redhat.com/errata/RHSA-2026:2137
RHSA-2026:2139		https://access.redhat.com/errata/RHSA-2026:2139
RHSA-2026:2144		https://access.redhat.com/errata/RHSA-2026:2144
RHSA-2026:2256		https://access.redhat.com/errata/RHSA-2026:2256
RHSA-2026:2456		https://access.redhat.com/errata/RHSA-2026:2456
RHSA-2026:2500		https://access.redhat.com/errata/RHSA-2026:2500
RHSA-2026:2563		https://access.redhat.com/errata/RHSA-2026:2563
RHSA-2026:2681		https://access.redhat.com/errata/RHSA-2026:2681
RHSA-2026:2695		https://access.redhat.com/errata/RHSA-2026:2695
RHSA-2026:2717		https://access.redhat.com/errata/RHSA-2026:2717
RHSA-2026:2718		https://access.redhat.com/errata/RHSA-2026:2718
RHSA-2026:2723		https://access.redhat.com/errata/RHSA-2026:2723
RHSA-2026:2728		https://access.redhat.com/errata/RHSA-2026:2728
RHSA-2026:2760		https://access.redhat.com/errata/RHSA-2026:2760
RHSA-2026:2762		https://access.redhat.com/errata/RHSA-2026:2762
RHSA-2026:2764		https://access.redhat.com/errata/RHSA-2026:2764
RHSA-2026:2765		https://access.redhat.com/errata/RHSA-2026:2765
RHSA-2026:2900		https://access.redhat.com/errata/RHSA-2026:2900
RHSA-2026:2911		https://access.redhat.com/errata/RHSA-2026:2911
RHSA-2026:2919		https://access.redhat.com/errata/RHSA-2026:2919
RHSA-2026:2924		https://access.redhat.com/errata/RHSA-2026:2924
RHSA-2026:2925		https://access.redhat.com/errata/RHSA-2026:2925
RHSA-2026:2926		https://access.redhat.com/errata/RHSA-2026:2926
RHSA-2026:3296		https://access.redhat.com/errata/RHSA-2026:3296
RHSA-2026:3406		https://access.redhat.com/errata/RHSA-2026:3406
RHSA-2026:3444		https://access.redhat.com/errata/RHSA-2026:3444
RHSA-2026:3461		https://access.redhat.com/errata/RHSA-2026:3461
RHSA-2026:3462		https://access.redhat.com/errata/RHSA-2026:3462
RHSA-2026:3713		https://access.redhat.com/errata/RHSA-2026:3713
RHSA-2026:3782		https://access.redhat.com/errata/RHSA-2026:3782
RHSA-2026:3869		https://access.redhat.com/errata/RHSA-2026:3869
RHSA-2026:3874		https://access.redhat.com/errata/RHSA-2026:3874
RHSA-2026:3884		https://access.redhat.com/errata/RHSA-2026:3884
RHSA-2026:3960		https://access.redhat.com/errata/RHSA-2026:3960
RHSA-2026:4185		https://access.redhat.com/errata/RHSA-2026:4185
RHSA-2026:4215		https://access.redhat.com/errata/RHSA-2026:4215
RHSA-2026:4271		https://access.redhat.com/errata/RHSA-2026:4271
RHSA-2026:4466		https://access.redhat.com/errata/RHSA-2026:4466
RHSA-2026:4467		https://access.redhat.com/errata/RHSA-2026:4467
RHSA-2026:5459		https://access.redhat.com/errata/RHSA-2026:5459
RHSA-2026:6287		https://access.redhat.com/errata/RHSA-2026:6287
RHSA-2026:6292		https://access.redhat.com/errata/RHSA-2026:6292
RHSA-2026:8151		https://access.redhat.com/errata/RHSA-2026:8151
USN-7955-1		https://usn.ubuntu.com/7955-1/
USN-7955-2		https://usn.ubuntu.com/7955-2/
USN-8010-1		https://usn.ubuntu.com/8010-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-21441.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/urllib3/urllib3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T20:08:04Z/ Found at https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T20:08:04Z/ Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-21441

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-21441

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.07535
EPSS Score	0.00027
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:14.674883+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-38jv-5279-wg99/GHSA-38jv-5279-wg99.json	38.0.0