CVE-2026-3276
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining cha...
Published: 2026-06-03 · Last updated: 2026-06-04
Severity and scoring
- CWE
- CWE-407
Description
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-3276
- [Other]https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0
- [Other]https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f
- [Other]https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32
- [Other]https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066
- [Other]https://github.com/python/cpython/issues/149079
- [Other]https://github.com/python/cpython/pull/149080
- [Other]https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/
- [Other]http://www.openwall.com/lists/oss-security/2026/06/03/15
Related CVEs
Same CWE
- CVE-2026-45664 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
- CVE-2026-41850 — Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service... (7.5 HIGH)
- CVE-2026-11312 — A vulnerability was found in bytedance InfiniStore up to 0.2.33 (3.3 LOW)
- CVE-2026-8889 — Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist ... (7.5 HIGH)
- CVE-2026-42504 — Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU (7.5 HIGH)