—

CVE-2026-3276EXPLOITEDPATCHED

python software foundation · python

Potential DoS via quadratic complexity in unicodedata.normalize()

Description

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Affected Products

Vendor	Product	Versions
python software foundation	python	0, 3.14.0, 3.15.0a1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	python	cert_advisory	90%

References

Related News (4 articles)

Tier B

BSI Advisories11d ago

[NEU] [mittel] CPython: Mehrere Schwachstellen

→ No new info (linked only)

Tier A

Microsoft MSRC21d ago

CVE-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize()

→ No new info (linked only)

Tier B

CERT-FR23d ago

Multiples vulnérabilités dans CPython (05 juin 2026)

→ No new info (linked only)

Tier C

oss-security24d ago

[oss-security][CVE-2026-3276] Potential DoS via quadratic complexity in unicodedata.normalize()

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/https://github.com/python/cpython/pull/149080

CWECWE-407

PublishedJun 3, 2026

Last enriched24d agov2

Trending Score11

Source articles4

Independent4

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-12003EXP

CPython >3.11 Insecure Input Validation resulting in privilege escalation

Trending: 67

NONECVE-2026-11972EXP

tarfile opened in streaming mode mishandles EOF

Trending: 55

NONECVE-2026-0864

Configuration Injection via Carriage Return (\r) in write() method

Trending: 39

NONECVE-2026-11940

tarfile extraction filter bypass allows escaping the destination directory

Trending: 32

NONECVE-2026-9669EXP

bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

Trending: 14

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 3, 2026

Discovered by ZDM

Jun 3, 2026

Updated: severity, exploitAvailable, activelyExploited

Jun 3, 2026

Actively Exploited

Jun 16, 2026

Exploit Available

Jun 16, 2026

Patch Available

Jun 16, 2026

Version History

Last enriched 24d ago

v2Tier C24d ago

Updated severity to MEDIUM and marked exploit as available and actively exploited.

severityexploitAvailableactivelyExploited

via oss-security

v124d ago

Initial creation