CVE-2026-3276 (GCVE-0-2026-3276)
Vulnerability from cvelistv5 – Published: 2026-06-03 14:29 – Updated: 2026-06-04 17:03
VLAI
Title
Potential DoS via quadratic complexity in unicodedata.normalize()
Summary
unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.15.0b2
(python)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T17:27:09.393265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T17:27:19.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-03T19:18:17.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Tim Peters (https://github.com/tim-one)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
}
],
"value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:03:12.301Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149080"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149079"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3276",
"datePublished": "2026-06-03T14:29:39.727Z",
"dateReserved": "2026-02-26T15:19:46.862Z",
"dateUpdated": "2026-06-04T17:03:12.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-3276",
"date": "2026-06-06",
"epss": "0.00049",
"percentile": "0.15762"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-3276\",\"sourceIdentifier\":\"cna@python.org\",\"published\":\"2026-06-03T16:16:29.253\",\"lastModified\":\"2026-06-04T18:16:30.117\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"unicodedata.normalize() can take excessive CPU time when processing\\nspecially crafted Unicode input containing long runs of combining characters\\nwith alternating Canonical Combining Class values.\\nThis affects all normalization forms.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cna@python.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"references\":[{\"url\":\"https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/issues/149079\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/pull/149080\",\"source\":\"cna@python.org\"},{\"url\":\"https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/\",\"source\":\"cna@python.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/06/03/15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/06/03/15\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-06-03T19:18:17.828Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3276\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-03T17:27:09.393265Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-03T17:27:13.504Z\"}}], \"cna\": {\"title\": \"Potential DoS via quadratic complexity in unicodedata.normalize()\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Seokchan Yoon (https://github.com/ch4n3-yoon)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Tim Peters (https://github.com/tim-one)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"B\\u00e9n\\u00e9dikt Tran (https://github.com/picnixz)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Serhiy Storchaka (https://github.com/serhiy-storchaka)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Stan Ulbrych (https://github.com/StanFromIreland)\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Seth Larson (https://github.com/sethmlarson)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Petr Viktorin (https://github.com/encukou)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/python/cpython\", \"vendor\": \"Python Software Foundation\", \"product\": \"CPython\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.15.0b2\", \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/python/cpython/pull/149080\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/issues/149079\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.6.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"unicodedata.normalize() can take excessive CPU time when processing\\nspecially crafted Unicode input containing long runs of combining characters\\nwith alternating Canonical Combining Class values.\\nThis affects all normalization forms.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407\"}]}], \"providerMetadata\": {\"orgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"shortName\": \"PSF\", \"dateUpdated\": \"2026-06-04T17:03:12.301Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3276\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T17:03:12.301Z\", \"dateReserved\": \"2026-02-26T15:19:46.862Z\", \"assignerOrgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"datePublished\": \"2026-06-03T14:29:39.727Z\", \"assignerShortName\": \"PSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…