Unicode Normalization Vulnerability in Python
CVE-2026-3276
6.3MEDIUM
What is CVE-2026-3276?
The vulnerability arises from the unicodedata.normalize() function within Python, which may excessively consume CPU resources when processing specifically crafted Unicode inputs. These inputs utilize extended sequences of combining characters that alternate Canonical Combining Class values, ultimately affecting all available normalization forms. This can lead to significant performance issues in applications relying on Unicode processing.
Affected Version(s)
CPython 0 < 3.13.14
CPython 3.14.0 < 3.14.6
CPython 3.15.0a1 < 3.15.0b2
References
CVSS V4
Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Seokchan Yoon (https://github.com/ch4n3-yoon)
Tim Peters (https://github.com/tim-one)
Bénédikt Tran (https://github.com/picnixz)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
Stan Ulbrych (https://github.com/StanFromIreland)
Seth Larson (https://github.com/sethmlarson)
Petr Viktorin (https://github.com/encukou)
