CVE-2026-3276

NameCVE-2026-3276
Descriptionunicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python2.7 (PTS)bullseye2.7.18-8+deb11u1vulnerable
python3.11 (PTS)bookworm3.11.2-6+deb12u8vulnerable
bookworm (security)3.11.2-6+deb12u3vulnerable
python3.13 (PTS)trixie3.13.5-2+deb13u3fixed
forky, sid3.13.14-1fixed
python3.14 (PTS)forky, sid3.14.6-1fixed
python3.9 (PTS)bullseye3.9.2-1vulnerable
bullseye (security)3.9.2-1+deb11u7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python2.7sourcebullseye(unfixed)end-of-life
python2.7source(unstable)(unfixed)
python3.11source(unstable)(unfixed)
python3.13sourcetrixie3.13.5-2+deb13u3
python3.13source(unstable)3.13.14-1
python3.14source(unstable)3.14.6-1
python3.9source(unstable)(unfixed)

Notes

[bookworm] - python3.11 <no-dsa> (Minor issue)
[bullseye] - python3.9 <postponed> (Minor issue)
[bullseye] - python2.7 <end-of-life> (not supported in bullseye)
https://www.openwall.com/lists/oss-security/2026/06/03/15
https://github.com/python/cpython/pull/149080
https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f (main)
https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066 (v3.15.0b2)
https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0 (3.14 branch)
https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32 (3.13 branch)

Search for package or bug name: Reporting problems