CVE-2026-45409: 
Python Analyse et atténuation des vulnérabilités

CVE-2026-45409 is a denial-of-service vulnerability in the Python idna (Internationalized Domain Names in Applications) library affecting all versions prior to 3.15. It is a regression of CVE-2024-3651, where the original 2024 remediation was incomplete — certain Unicode payloads (e.g., "\u0660" * N or "\u30fb" * N + "\u6f22") can still invoke the valid_contexto function before input length is checked, causing excessive CPU consumption for large values of N. The vulnerability was published to the GitHub Advisory Database on May 19, 2026, and to the NVD on June 5, 2026. It carries a CVSS v4 base score of 6.9 (Medium) (GitHub Advisory, GHSA).

The root cause is classified as CWE-1333 (Inefficient Regular Expression Complexity), related to CAPEC-492 (Regular Expression Exponential Blowup). Specifically, the valid_contexto function in idna.encode() performs expensive per-character context validation before the library enforces the DNS maximum domain name length of 253 characters, allowing arbitrarily large Unicode inputs to trigger near-exponential CPU usage. The fix in version 3.14 added early-exit length rejection in the main idna.encode() path, but version 3.15 extended this protection to per-label conversion functions and codec support paths that were not covered by the earlier patch. No public proof-of-concept exploit code has been identified (GitHub Advisory, GHSA).

Successful exploitation causes excessive CPU resource consumption in the affected Python process, potentially rendering the application unresponsive and resulting in a denial-of-service condition. There is no impact on confidentiality or integrity — the vulnerability is limited to availability of the vulnerable system. Applications that accept user-supplied domain names and pass them without length validation to idna.encode() are at greatest risk, particularly internet-facing services (GitHub Advisory).

Upgrade the idna Python package to version 3.15, which extends early-exit length rejection to all affected code paths including per-label conversions and codec support. Version 3.14 provides a partial fix covering the main idna.encode() path but does not address the lesser-used alternate functions. As a workaround without upgrading, enforce a maximum domain name length of 253 characters in the application layer before passing any input to idna.encode(), which prevents the expensive valid_contexto processing from being triggered on oversized inputs (GitHub Advisory, GHSA).

The vulnerability was reported by community contributor StanFromIreland and remediated by the kjd/idna maintainer. The advisory notes this is a bypass of the 2024 fix for CVE-2024-3651, highlighting the challenge of completely remediating algorithmic complexity vulnerabilities. The openSUSE Tumbleweed monthly update for May 2026 referenced the fix, indicating downstream Linux distributions have begun incorporating the patch (openSUSE).