Unicode Normalization Vulnerability in Python
CVE-2026-3276

6.3MEDIUM

What is CVE-2026-3276?

The vulnerability arises from the unicodedata.normalize() function within Python, which may excessively consume CPU resources when processing specifically crafted Unicode inputs. These inputs utilize extended sequences of combining characters that alternate Canonical Combining Class values, ultimately affecting all available normalization forms. This can lead to significant performance issues in applications relying on Unicode processing.

Affected Version(s)

CPython 0 < 3.13.14

CPython 3.14.0 < 3.14.6

CPython 3.15.0a1 < 3.15.0b2

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Seokchan Yoon (https://github.com/ch4n3-yoon)
Tim Peters (https://github.com/tim-one)
Bénédikt Tran (https://github.com/picnixz)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
Stan Ulbrych (https://github.com/StanFromIreland)
Seth Larson (https://github.com/sethmlarson)
Petr Viktorin (https://github.com/encukou)
.