Medium severityNVD Advisory· Published Jun 3, 2026· Updated Jun 16, 2026
CVE-2026-3276
CVE-2026-3276
Description
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15- osv-coords14 versionspkg:apk/chainguard/python-3.10pkg:apk/chainguard/python-3.11pkg:apk/chainguard/python-3.12pkg:apk/chainguard/python-3.13pkg:apk/chainguard/python-3.14pkg:apk/wolfi/python-3.10pkg:apk/wolfi/python-3.11pkg:apk/wolfi/python-3.12pkg:apk/wolfi/python-3.13pkg:apk/wolfi/python-3.14pkg:bitnami/libpythonpkg:bitnami/pythonpkg:bitnami/python-minpkg:rpm/opensuse/python315&distro=openSUSE%20Tumbleweed
< 3.10.20-r8+ 13 more
- (no CPE)range: < 3.10.20-r8
- (no CPE)range: < 3.11.15-r6
- (no CPE)range: < 3.12.13-r8
- (no CPE)range: < 3.13.14-r0
- (no CPE)range: < 3.14.6-r0
- (no CPE)range: < 3.10.20-r8
- (no CPE)range: < 3.11.15-r6
- (no CPE)range: < 3.12.13-r8
- (no CPE)range: < 3.13.14-r0
- (no CPE)range: < 3.14.6-r0
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.15.0~b2-1.1
Patches
Vulnerability mechanics
References
9- www.openwall.com/lists/oss-security/2026/06/03/15nvd
- github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0nvd
- github.com/python/cpython/commit/90748760d38ca3ac5fc6788a69becab905c95598nvd
- github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26fnvd
- github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32nvd
- github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066nvd
- github.com/python/cpython/issues/149079nvd
- github.com/python/cpython/pull/149080nvd
- mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/nvd
News mentions
0No linked articles in our index yet.