CVE-2026-3276
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
03/06/2026
Last modified:
16/06/2026
Description
unicodedata.normalize() can take excessive CPU time when processing<br />
specially crafted Unicode input containing long runs of combining characters<br />
with alternating Canonical Combining Class values.<br />
This affects all normalization forms.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0
- https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598
- https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f
- https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32
- https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066
- https://github.com/python/cpython/issues/149079
- https://github.com/python/cpython/pull/149080
- https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/
- http://www.openwall.com/lists/oss-security/2026/06/03/15



