🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: CentOS Stream 9

📖 ~4 min read  •  Source: AlmaLinux/RHEL advisory ALSA-2026:1089

Related CVEs: CVE-2025-66418 CVE-2025-66471 CVE-2026-21441 CVE-2023-45803 CVE-2024-37891 CVE-2023-43804

Upstream summary: Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion (CVE-2025-66418)
* urllib3: urllib3 Streaming API improperly handles highly compressed data

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On CentOS Stream 9 hosts running python3.11-urllib3, operators report behaviour consistent with AlmaLinux/RHEL advisory ALSA-2026:1089: dnf refusing to install or restart affected services, SELinux AVC denials in /var/log/audit/audit.log, and — for security-rated advisories — exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever python3.11-urllib3 sits on the serving path.

Environment & Reproduction

Reproduction targets CentOS Stream 9. Confirm release with cat /etc/centos-release and cat /etc/os-release, and the currently installed package with rpm -q python3.11-urllib3. Capture system state with sosreport --batch -k crio.all=on if you need an evidence bundle for a vendor support case. Trigger the workflow that exposes python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide while collecting journalctl -b, dnf history, and rpm -qa output.

Root Cause Analysis

Root cause is documented in AlmaLinux/RHEL advisory ALSA-2026:1089. Upstream maintainers shipped fixes in the corresponding python3.11-urllib3 update for CentOS Stream 9; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with dnf history entries and any SELinux denials in /var/log/audit/audit.log (or ausearch -m AVC,USER_AVC -ts recent) to isolate the originating change.

Quick Triage

Quick triage: run systemctl status python3.11-urllib3, journalctl -u python3.11-urllib3 -n 200, dnf check-update --security, dnf updateinfo list cves, firewall-cmd --list-all, and getenforce. If SELinux is enforcing, capture ausearch -m AVC -ts recent to surface denials linked to python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide.

Step-by-Step Diagnosis

1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u python3.11-urllib3. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check SELinux: getenforce, sestatus, ausearch -m AVC,USER_AVC -ts recent. 5) Verify package integrity: rpm -V python3.11-urllib3 and dnf reinstall python3.11-urllib3. 6) Correlate findings with dnf history, /var/log/dnf.log, and AlmaLinux/RHEL advisory ALSA-2026:1089 to pin the change that introduced python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide.

Solution – Primary Fix

Primary fix for python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide: apply the corrective dnf transaction described in AlmaLinux/RHEL advisory ALSA-2026:1089, reload the affected systemd unit, and reconcile firewalld and SELinux state. Typical commands: sudo dnf -y makecache, sudo dnf -y upgrade --security or sudo dnf -y upgrade python3.11-urllib3, sudo systemctl daemon-reload, sudo systemctl restart python3.11-urllib3, then rpm -q python3.11-urllib3 to validate the new build is installed. For kernel advisories add sudo systemctl reboot or apply kpatch-dnf live patches where covered by your subscription.

Need help rolling this patch across a CentOS Stream fleet? Our IT Solutions & Services team manages CentOS / RHEL patch windows with zero-downtime change controls. Get in touch for a free consultation.

Solution – Alternative Approaches

Alternatives include rolling back the offending transaction with sudo dnf history undo <id>, version-locking the package via sudo dnf install python3-dnf-plugin-versionlock then sudo dnf versionlock add python3.11-urllib3, switching firewalld backends between nftables and iptables in /etc/firewalld/firewalld.conf, switching SELinux to permissive temporarily with sudo setenforce 0 to confirm policy is the cause before authoring a custom policy module via audit2allow. Where kpatch is licensed, kpatch list and kpatch load apply kernel fixes without reboot.

Verification & Acceptance Criteria

Acceptance: rpm -q python3.11-urllib3 shows the expected fixed version, systemctl is-active python3.11-urllib3 returns active, journalctl -u python3.11-urllib3 --since "5 minutes ago" shows no errors, dnf updateinfo list cves --installed no longer lists the CVEs above, firewall-cmd --list-services includes the required services, getenforce reports the intended mode, and the original reproduction steps for python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide no longer trigger the failure across two consecutive runs.

Rollback Plan

Capture state with dnf history list, rpm -qa > /root/rpm-pre.txt, and where available lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv> for an LVM snapshot. To revert, run sudo dnf history undo <id> (or sudo dnf install --allowerasing python3.11-urllib3-<old-version>) and reload systemctl daemon-reload. Remove custom SELinux modules with sudo semodule -r <module>. Reboot if the kernel or initramfs was changed and re-verify symptoms.

Prevention & Hardening

Prevent recurrence by enabling dnf-automatic with upgrade_type = security in /etc/dnf/automatic.conf, subscribing to centos-announce / rhsa-announce, mirroring through a local Pulp / Foreman / Spacewalk-style repo for controlled rollouts, version-locking sensitive packages, and monitoring file integrity with aide --check. Apply CIS CentOS Stream 9 hardening, keep SELinux enforcing, and where supported enable kpatch live patching so future advisories like this can be remediated without reboot.

Related issues that commonly surface alongside python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC denials in journalctl -k, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this CentOS Stream 9 series for adjacent failure modes.

View all centos-stream-9 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: AlmaLinux/RHEL advisory ALSA-2026:1089. Supporting docs: Red Hat / CentOS Stream Administration Guide, man dnf, man systemctl, man firewall-cmd, man semanage, man audit2allow, man journalctl, the Red Hat CVE database at access.redhat.com/security/cve/, and the kpatch documentation. Review /usr/share/doc/python3.11-urllib3/ for component-level notes implicated in python3.11-urllib3 — multiple vulnerabilities (6 CVEs) — patch and remediation guide.