{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3276", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-02-26T15:19:46.862Z", "datePublished": "2026-06-03T14:29:39.727Z", "dateUpdated": "2026-06-10T18:04:54.692Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.13.14", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.6", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0b2", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"}, {"lang": "en", "type": "remediation reviewer", "value": "Tim Peters (https://github.com/tim-one)"}, {"lang": "en", "type": "remediation reviewer", "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"}, {"lang": "en", "type": "remediation reviewer", "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"}, {"lang": "en", "type": "remediation reviewer", "value": "Stan Ulbrych (https://github.com/StanFromIreland)"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson (https://github.com/sethmlarson)"}, {"lang": "en", "type": "remediation reviewer", "value": "Petr Viktorin (https://github.com/encukou)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span>unicodedata.normalize()</span> can take excessive CPU time when processing<br>specially crafted Unicode input containing long runs of combining characters<br>with alternating Canonical Combining Class values.<br>This affects all normalization forms."}], "value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "description": "CWE-407", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-06-10T18:04:54.692Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/149080"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/149079"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"}], "source": {"discovery": "UNKNOWN"}, "title": "Potential DoS via quadratic complexity in unicodedata.normalize()", "x_generator": {"engine": "Vulnogram 0.6.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-03T17:27:09.393265Z", "id": "CVE-2026-3276", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-03T17:27:19.179Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-03T19:18:17.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-03T19:18:17.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3276", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-03T17:27:09.393265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-03T17:27:13.504Z"}}], "cna": {"title": "Potential DoS via quadratic complexity in unicodedata.normalize()", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Seokchan Yoon (https://github.com/ch4n3-yoon)"}, {"lang": "en", "type": "remediation reviewer", "value": "Tim Peters (https://github.com/tim-one)"}, {"lang": "en", "type": "remediation reviewer", "value": "B\u00e9n\u00e9dikt Tran (https://github.com/picnixz)"}, {"lang": "en", "type": "remediation reviewer", "value": "Serhiy Storchaka (https://github.com/serhiy-storchaka)"}, {"lang": "en", "type": "remediation reviewer", "value": "Stan Ulbrych (https://github.com/StanFromIreland)"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson (https://github.com/sethmlarson)"}, {"lang": "en", "type": "remediation reviewer", "value": "Petr Viktorin (https://github.com/encukou)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.13.14", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.6", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0b2", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/pull/149080", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/149079", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.6.0"}, "descriptions": [{"lang": "en", "value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms.", "supportingMedia": [{"type": "text/html", "value": "<span>unicodedata.normalize()</span> can take excessive CPU time when processing<br>specially crafted Unicode input containing long runs of combining characters<br>with alternating Canonical Combining Class values.<br>This affects all normalization forms.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-06-10T18:04:54.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3276", "state": "PUBLISHED", "dateUpdated": "2026-06-10T18:04:54.692Z", "dateReserved": "2026-02-26T15:19:46.862Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-06-03T14:29:39.727Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "unicodedata.normalize() can take excessive CPU time when processing\nspecially crafted Unicode input containing long runs of combining characters\nwith alternating Canonical Combining Class values.\nThis affects all normalization forms."}], "id": "CVE-2026-3276", "lastModified": "2026-06-04T18:16:30.117", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-06-03T16:16:29.253", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/149079"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/149080"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/06/03/15"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "cna@python.org", "type": "Secondary"}]}

{"bugzilla": {"description": "python: Python unicodedata: Denial of Service due to excessive CPU consumption", "id": "2484424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484424"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-606", "details": ["A flaw was found in the `unicodedata.normalize()` function in Python. This vulnerability allows a remote attacker to cause excessive CPU consumption by providing specially crafted Unicode input. Successful exploitation can lead to a Denial of Service (DoS) on the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3276", "package_state": [{"cpe": "cpe:/a:redhat:exploit_intelligence:0", "fix_state": "Fix deferred", "package_name": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "product_name": "Exploit Intelligence"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-06-03T14:29:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3276\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3276\nhttps://github.com/python/cpython/issues/149079\nhttps://github.com/python/cpython/pull/149080\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/"], "threat_severity": "Moderate"}