CVE-2026-3276 PUBLISHED

Potential DoS via quadratic complexity in unicodedata.normalize()

Assigner: PSF
Reserved: 26.02.2026 Published: 03.06.2026 Updated: 03.06.2026

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Python Software Foundation
Product	CPython
Versions	Default: unaffected Version 0 is affected

Credits

Seokchan Yoon (https://github.com/ch4n3-yoon) reporter
Tim Peters (https://github.com/tim-one) remediation reviewer
Bénédikt Tran (https://github.com/picnixz) remediation reviewer
Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation reviewer
Stan Ulbrych (https://github.com/StanFromIreland) remediation reviewer
Seth Larson (https://github.com/sethmlarson) coordinator
Petr Viktorin (https://github.com/encukou) remediation reviewer

References

Problem Types

CWE-407 CWE