CVE-2026-3276
Unicode Normalization Denial of Service in Python
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
| python | cpython | 3.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3276 is a performance vulnerability in Python's unicodedata.normalize() function. It occurs when processing specially crafted Unicode strings that contain long sequences of combining characters arranged with alternating Canonical Combining Class (CCC) values.
The root cause is an inefficient O(nΒ²) insertion sort algorithm used for canonical ordering of these combining characters. This inefficiency can cause the function to consume excessive CPU time, leading to potential denial-of-service (DoS) conditions.
The vulnerability affects all normalization forms and was fixed by replacing the insertion sort with a hybrid sorting approach that reduces the worst-case time complexity to O(n), preventing excessive CPU usage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to cause a denial of service (DoS) on systems running affected versions of Python by providing specially crafted Unicode strings with many combining characters.
Processing such inputs can lead to excessive CPU consumption, significantly slowing down or halting applications that use the unicodedata.normalize() function.
For example, a 0.5MB crafted payload could cause the function to take over 30 seconds to process, impacting system availability and performance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as excessive CPU usage when processing specially crafted Unicode strings containing long runs of combining characters with alternating Canonical Combining Class values.
To detect this vulnerability on your system, you can monitor for unusually high CPU usage by Python processes, especially those invoking the unicodedata.normalize() function.
Since the issue is triggered by crafted Unicode input, you can attempt to reproduce the problem by running a test script that normalizes a string with many combining characters arranged in alternating canonical combining class order.
Example Python command to test for the vulnerability (may cause high CPU usage):
- Run a Python script that calls unicodedata.normalize() on a crafted string with many combining characters, for example: ```python import unicodedata # Construct a string with many combining characters alternating CCC values s = ''.join(chr(0x0300 + (i % 2)) for i in range(50000)) unicodedata.normalize('NFC', s) ``` If this causes excessive CPU usage or delays, the system is vulnerable.
Additionally, you can monitor system processes using commands like `top`, `htop`, or `ps` to identify Python processes consuming excessive CPU.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update Python to a version where the vulnerability has been fixed.
The fix replaces the inefficient O(nΒ²) insertion sort algorithm in unicodedata.normalize() with a hybrid sorting approach, significantly reducing CPU time for crafted inputs.
The fix has been backported to Python versions 3.10 through 3.15, so upgrading to one of these patched versions will mitigate the vulnerability.
Until an update can be applied, consider limiting or sanitizing input that contains long runs of combining Unicode characters with alternating canonical combining classes to reduce the risk of denial-of-service.
Monitor and restrict untrusted input sources that might exploit this vulnerability.