Detections
Analytics

CVE-2026-3276

medium

Description

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

References

https://mail.python.org/archives/list/[email protected]/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/

https://github.com/python/cpython/pull/149080

https://github.com/python/cpython/issues/149079

https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066

https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32

https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f

https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598

https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0

http://www.openwall.com/lists/oss-security/2026/06/03/15

Details

Source: Mitre, NVD

Published: 2026-06-03

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

CVSS v4

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00042