CVE-2026-3276

unknown

Published 2026-06-03 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

6.3

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

VIR risk

—

Description

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-3276 NameCVE-2026-3276 Descriptionunicodedata.normalize() can take excessive CPU time when processing sp ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus…

CVE-2026-3276

Name	CVE-2026-3276
Description	unicodedata.normalize() can take excessive CPU time when processing sp ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bullseye (security)	7.3.5+dfsg-2+deb11u5	vulnerable
	bookworm	7.3.11+dfsg-2+deb12u3	vulnerable
	trixie	7.3.19+dfsg-2	vulnerable
	forky, sid	7.3.23+dfsg-1	vulnerable
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	vulnerable
python3.11 (PTS)	bookworm	3.11.2-6+deb12u7	vulnerable
	bookworm (security)	3.11.2-6+deb12u3	vulnerable
python3.13 (PTS)	trixie	3.13.5-2+deb13u2	vulnerable
	forky, sid	3.13.12-1	vulnerable
python3.14 (PTS)	forky, sid	3.14.5-1	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u7	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
pypy3	source	(unstable)	(unfixed)
python2.7	source	(unstable)	(unfixed)
python3.11	source	(unstable)	(unfixed)
python3.13	source	(unstable)	(unfixed)
python3.14	source	(unstable)	(unfixed)
python3.9	source	(unstable)	(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2026/06/03/15
https://github.com/python/cpython/pull/149080
https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f (main)
https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066 (v3.15.0b2)
https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0 (3.14 branch)
https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32 (3.13 branch)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://www.openwall.com/lists/oss-security/2026/06/03/15https://github.com/python/cpython/pull/149080https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f (main)https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066 (v3.15.0b2)https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0 (3.14 branch)https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32 (3.13 branch)

OS impact

Debian Affected 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Affected	—
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

References

CWEs

CWE-407

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.