Potential DoS via quadratic complexity in unicodedata.normalize()_CVE-2026-3276

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.

Basic Information

ID CVE-2026-3276

Source PSF

Published Jun 3, 2026 at 14:29

Affected Product

Vendor Python Software Foundation

Product CPython

Affected Versions Python Software Foundation CPython 0

CWE Classification

CWE-407

References

{
    "lastseen": "",
    "description": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms.",
    "published": "2026-06-03T14:29:39.727Z",
    "modified": "2026-06-03T14:29:39.727Z",
    "type": "cve",
    "title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
    "source": "PSF",
    "references": "https://mail.python.org/archives/list/[email protected]/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/\nhttps://github.com/python/cpython/pull/149080\nhttps://github.com/python/cpython/issues/149079",
    "id": "CVE-2026-3276",
    "bulletinFamily": "",
    "cwe": [
        "CWE-407"
    ],
    "cvelist": null,
    "sourceData": "Python Software Foundation CPython 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CPython",
    "version": "0",
    "vendor": "Python Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}