CVE-2026-3276

Summary

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.13.14affected
Python Software FoundationCPython3.14.0 < 3.14.6affected
Python Software FoundationCPython3.15.0a1 < 3.15.0b2affected

Weaknesses

  • CWE-407: CWE-407

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References