CVE-2026-3276
6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | 0 < 3.13.14 | affected |
| Python Software Foundation | CPython | 3.14.0 < 3.14.6 | affected |
| Python Software Foundation | CPython | 3.15.0a1 < 3.15.0b2 | affected |
Weaknesses
- CWE-407: CWE-407
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/
- https://github.com/python/cpython/pull/149080
- https://github.com/python/cpython/issues/149079
- https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0
- https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f
- https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32
- https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066
- https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.