CVE-2026-3276
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
The unicodedata.normalize() function can consume excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.
Risk Assessment
Excessive CPU consumption may lead to system slowdowns or crashes, impacting service availability within the organization.
Recommendation
It is recommended to monitor CPU usage and limit the processing of Unicode data that may be potentially malicious.
Original NVD description (English source)
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

