Skip to main content

CPython CVE-2026-3276

| EUVDEUVD-2026-34103 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-06-03 PSF GHSA-jg6j-874m-wgjj
6.3
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 03, 2026 - 18:33 vuln.today
Analysis Generated
Jun 03, 2026 - 18:33 vuln.today
CVSS changed
Jun 03, 2026 - 16:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 03, 2026 - 14:29 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

AnalysisAI

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

The vulnerability resides in CPython's C-level unicodedata module (Modules/unicodedata.c), specifically in the nfd_nfkd() function responsible for Unicode normalization (NFD, NFKD, NFC, NFKC forms). Per CWE-407 (Inefficient Algorithmic Complexity), the root cause is an insertion sort used for canonical reordering of combining character runs. Unicode normalization requires sorting consecutive non-starter characters by their Canonical Combining Class (CCC) value (0-255). When a long run of characters alternates between two CCC values (e.g., U+0300 CCC=230 and U+0327 CCC=202), the insertion sort degrades to O(n²) comparisons and swaps. The fix, visible in PR #149080, introduces a threshold-based strategy: runs shorter than 20 characters continue to use insertion sort, while longer runs switch to a stable counting sort with O(n) time complexity, eliminating the quadratic behavior. The affected CPE is cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*, indicating all CPython versions are affected.

RemediationAI

The upstream fix is available as GitHub pull request https://github.com/python/cpython/pull/149080, which replaces the quadratic insertion sort with a linear counting sort for combining character runs exceeding a threshold of 20 characters. However, a released patched CPython version (e.g., 3.x.y) has not been independently confirmed from the available data - the fix reference points to a PR/commit, not a tagged release. Monitor the PSF security announcement at https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/ for an official patched release. As a compensating control until a patch is applied, application-layer defenses should validate or limit the length and character composition of Unicode input before passing it to unicodedata.normalize() - specifically, rejecting strings with abnormally high ratios of combining characters (Unicode category 'M') relative to base characters. Setting a maximum input length for normalization calls is also effective. Both controls introduce the trade-off of potentially rejecting legitimate internationalized input in some edge cases.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed

Share

CVE-2026-3276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy