CVE-2026-44432 is a denial-of-service vulnerability in the urllib3 Python library affecting the streaming response code path, where decompression-bomb safeguards are not consistently enforced. The risk is resource exhaustion (memory and CPU) against any service that uses urllib3’s streaming API against an attacker-controlled or compromised upstream HTTP endpoint. Transitive dependency reach through requests, boto3, pip, and similar foundational packages means the exposure surface is likely broader than direct urllib3 consumers alone.