[oss-security][CVE-2026-3276] Potential DoS via quadratic complexity in unicodedata.normalize()

Wed, 03 Jun 2026 10:50:32 -0700 


-------- Forwarded Message --------

Subject: 	[Security-announce][CVE-2026-3276] Potential DoS via quadratic 
complexity in unicodedata.normalize()

Date:   Wed, 3 Jun 2026 14:56:33 +0100
From:   Stan Ulbrych via Security-announce <[email protected]>
Reply-To:       [email protected]
To:     [email protected]
CC:     Stan Ulbrych <[email protected]>



There is a MEDIUM severity vulnerability affecting CPython.

unicodedata.normalize() can take excessive CPU time when processing
specially crafted Unicode input containing long runs of combining characters
with alternating Canonical Combining Class values.
This affects all normalization forms.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-3276
* https://github.com/python/cpython/pull/149080

_______________________________________________
Security-announce mailing list -- [email protected]
https://mail.python.org/mailman3//lists/security-announce.python.org














    











					Reply via email to