CVE-2026-3276
Potential DoS via quadratic complexity in unicodedata.normalize()
Description
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
How to fix CVE-2026-3276
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Bitnami/libpython—no fix listed
- Bitnami/python—no fix listed
- Bitnami/python-min—no fix listed
- Debian/pypy3—no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
Is CVE-2026-3276 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-3276.
Affected packages (9)
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |