Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
Description
This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process.
Impact
A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.
Patches
Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).
Workarounds
Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-45409 is a bypass of the incomplete fix for CVE-2024-3651, where crafted Unicode inputs to idna.encode() cause a denial-of-service via resource exhaustion.
Vulnerability
CVE-2026-45409 is a bypass of the incomplete remediation for CVE-2024-3651 in the idna library for Python. The idna.encode() function and related per-label and codec functions may be supplied with crafted Unicode payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22". These inputs exploit the valid_contexto function, which is invoked before input length validation, causing significant processing time for large values of N. All versions prior to 3.14 are affected; versions 3.14 and 3.15 contain partial and more complete fixes, respectively.[1][2][3]
Exploitation
An attacker with the ability to pass arbitrary input to idna.encode() (or the per-label/conversion functions in versions before 3.15) can craft a string composed of repeating characters that trigger costly processing in valid_contexto before length checks are applied. No authentication or special network position is required beyond the ability to supply the malicious input to the vulnerable function.[2][3]
Impact
Successful exploitation leads to excessive CPU and memory consumption, resulting in a denial-of-service condition. The vulnerability does not affect confidentiality or integrity; its impact is limited to resource exhaustion that may degrade or halt service availability for the process using the library.[2][3]
Mitigation
Patches are available as of version 3.14, where long inputs are rejected earlier in the processing pipeline to minimize resource consumption; version 3.15 extends this protection to the less frequently used per-label and codec functions. Users should upgrade to idna 3.15 or later. As a workaround, applications can enforce a maximum domain length of 253 characters (the RFC 1035 limit) before calling idna.encode(), preventing arbitrarily large inputs from reaching the vulnerable code path.[1][2][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.