DEBIAN-CVE-2026-3276

Source
https://security-tracker.debian.org/tracker/CVE-2026-3276
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-3276
Upstream
Published
2026-06-03T16:16:29.253Z
Modified
2026-07-11T21:00:29.620973509Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

References

Affected packages

Debian:11
python2.7

Package

Name
python2.7
Purl
pkg:deb/debian/python2.7?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.18-8
2.7.18-8+deb11u1
2.7.18-9
2.7.18-10
2.7.18-11
2.7.18-12
2.7.18-13
2.7.18-13.1~exp1
2.7.18-13.1
2.7.18-13.2

Ecosystem specific

{
    "urgency": "end-of-life"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"
python3.9

Package

Name
python3.9
Purl
pkg:deb/debian/python3.9?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.9.2-1
3.9.2-1+deb11u1
3.9.2-1+deb11u2
3.9.2-1+deb11u3
3.9.2-1+deb11u4
3.9.2-1+deb11u5
3.9.2-1+deb11u6
3.9.2-1+deb11u7
3.9.3-1
3.9.3-2
3.9.4-1
3.9.5-1
3.9.5-2
3.9.5-3
3.9.6-1
3.9.7-1
3.9.7-2
3.9.7-4
3.9.8-1
3.9.8-2
3.9.9-1
3.9.9-2
3.9.9-3
3.9.9-4
3.9.10-1
3.9.10-2
3.9.11-1
3.9.12-1
3.9.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"
Debian:12
python3.11

Package

Name
python3.11
Purl
pkg:deb/debian/python3.11?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.11.2-6
3.11.2-6+deb12u1
3.11.2-6+deb12u2
3.11.2-6+deb12u3
3.11.2-6+deb12u4
3.11.2-6+deb12u5
3.11.2-6+deb12u6
3.11.2-6+deb12u7
3.11.2-6+deb12u8
3.11.3-1
3.11.3-2
3.11.4-1
3.11.5-1
3.11.5-2
3.11.5-3
3.11.6-1
3.11.6-2
3.11.6-3~hurd.2
3.11.6-3
3.11.7-1
3.11.7-2
3.11.8-1
3.11.8-1.1~exp1
3.11.8-1.1~exp2
3.11.8-2
3.11.8-3
3.11.8-3+hurd.1
3.11.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"
Debian:13
python3.13

Package

Name
python3.13
Purl
pkg:deb/debian/python3.13?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.5-2+deb13u3

Affected versions

3.*
3.13.5-2
3.13.5-2+deb13u1
3.13.5-2+deb13u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"
Debian:14
python3.13

Package

Name
python3.13
Purl
pkg:deb/debian/python3.13?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.14-1

Affected versions

3.*
3.13.5-2
3.13.6-1
3.13.7-1
3.13.8-1
3.13.9-1
3.13.11-1
3.13.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"
python3.14

Package

Name
python3.14
Purl
pkg:deb/debian/python3.14?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.14.6-1

Affected versions

3.*
3.14.0~a7-1
3.14.0~b1-1
3.14.0~b2-1
3.14.0~b3-1
3.14.0~b4-1
3.14.0~rc1-1
3.14.0~rc2-1
3.14.0~rc3-1
3.14.0-1
3.14.0-2
3.14.0-3
3.14.0-4
3.14.0-5
3.14.2-1
3.14.3-1
3.14.3-2
3.14.3-3
3.14.3-4
3.14.3-5
3.14.4-1
3.14.4-2
3.14.5~rc1-1
3.14.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3276.json"