Python unicodedata.normalize() DOS via Long Combining Runs
CVE-2026-3276 Published on June 3, 2026

Potential DoS via quadratic complexity in unicodedata.normalize()
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Vendor Advisory NVD

Weakness Type

Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Affected Versions

Python Software Foundation CPython:

Before 3.15.0b2 is affected.

Python unicodedata.normalize() DOS via Long Combining RunsCVE-2026-3276 Published on June 3, 2026

Weakness Type

Inefficient Algorithmic Complexity

Affected Versions

Python unicodedata.normalize() DOS via Long Combining Runs
CVE-2026-3276 Published on June 3, 2026