CVE-2026-3276
Potential DoS via quadratic complexity in unicodedata.normalize()
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
| CWE | CWE-407 |
| Vendor | python software foundation |
| Product | cpython |
| Published | Jun 3, 2026 |
| Last Updated | Jun 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.15.0b2
References
mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/ github.com: https://github.com/python/cpython/pull/149080 github.com: https://github.com/python/cpython/issues/149079 github.com: https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0 github.com: https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f github.com: https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32 github.com: https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066 openwall.com: http://www.openwall.com/lists/oss-security/2026/06/03/15
Credits
🔍 Seokchan Yoon (https://github.com/ch4n3-yoon) Tim Peters (https://github.com/tim-one) Bénédikt Tran (https://github.com/picnixz) Serhiy Storchaka (https://github.com/serhiy-storchaka) Stan Ulbrych (https://github.com/StanFromIreland) Seth Larson (https://github.com/sethmlarson) Petr Viktorin (https://github.com/encukou)