CVE-2026-3276 (GCVE-0-2026-3276)
Vulnerability from cvelistv5 – Published: 2026-06-03 14:29 – Updated: 2026-06-16 14:54
VLAI?
Title
Potential DoS via quadratic complexity in unicodedata.normalize()
Summary
unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0 , < 3.14.6 (python) Affected: 3.15.0a1 , < 3.15.0b2 (python) |
Credits
Seokchan Yoon (https://github.com/ch4n3-yoon)
Tim Peters (https://github.com/tim-one)
Bénédikt Tran (https://github.com/picnixz)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
Stan Ulbrych (https://github.com/StanFromIreland)
Seth Larson (https://github.com/sethmlarson)
Petr Viktorin (https://github.com/encukou)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3276",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T17:27:09.393265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T17:27:19.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-03T19:18:17.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.6",
"status": "affected",
"version": "3.14.0",
"versionType": "python"
},
{
"lessThan": "3.15.0b2",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Tim Peters (https://github.com/tim-one)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Stan Ulbrych (https://github.com/StanFromIreland)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Petr Viktorin (https://github.com/encukou)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms."
}
],
"value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:54:50.442Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/149080"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/149079"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential DoS via quadratic complexity in unicodedata.normalize()",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3276",
"datePublished": "2026-06-03T14:29:39.727Z",
"dateReserved": "2026-02-26T15:19:46.862Z",
"dateUpdated": "2026-06-16T14:54:50.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/06/03/15\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-06-03T19:18:17.828Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3276\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-03T17:27:09.393265Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-03T17:27:13.504Z\"}}], \"cna\": {\"title\": \"Potential DoS via quadratic complexity in unicodedata.normalize()\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Seokchan Yoon (https://github.com/ch4n3-yoon)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Tim Peters (https://github.com/tim-one)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"B\\u00e9n\\u00e9dikt Tran (https://github.com/picnixz)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Serhiy Storchaka (https://github.com/serhiy-storchaka)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Stan Ulbrych (https://github.com/StanFromIreland)\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"Seth Larson (https://github.com/sethmlarson)\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"Petr Viktorin (https://github.com/encukou)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/python/cpython\", \"vendor\": \"Python Software Foundation\", \"product\": \"CPython\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.13.14\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.14.0\", \"lessThan\": \"3.14.6\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"3.15.0a1\", \"lessThan\": \"3.15.0b2\", \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/python/cpython/pull/149080\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/issues/149079\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.6.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"unicodedata.normalize() can take excessive CPU time when processing\\nspecially crafted Unicode input containing long runs of combining characters\\nwith alternating Canonical Combining Class values.\\nThis affects all normalization forms.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan\u003eunicodedata.normalize()\u003c/span\u003e can take excessive CPU time when processing\u003cbr\u003especially crafted Unicode input containing long runs of combining characters\u003cbr\u003ewith alternating Canonical Combining Class values.\u003cbr\u003eThis affects all normalization forms.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407\"}]}], \"providerMetadata\": {\"orgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"shortName\": \"PSF\", \"dateUpdated\": \"2026-06-16T14:54:50.442Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3276\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-16T14:54:50.442Z\", \"dateReserved\": \"2026-02-26T15:19:46.862Z\", \"assignerOrgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"datePublished\": \"2026-06-03T14:29:39.727Z\", \"assignerShortName\": \"PSF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…