CVE Catalog

CVE-2026-3276

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile - higher than 33% of all known CVEs

Summary

The unicodedata.normalize() function can consume excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Risk Assessment

Excessive CPU consumption may lead to system slowdowns or crashes, impacting service availability within the organization.

Recommendation

It is recommended to monitor CPU usage and limit the processing of Unicode data that may be potentially malicious.

Original NVD description (English source)

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS