PatchSiren cyber security CVE debrief
CVE-2026-45409 kjd CVE debrief
CVE-2026-45409 is a denial-of-service vulnerability affecting Internationalized Domain Names in Applications (IDNA) for Python, specifically versions prior to 3.15. The vulnerability arises from the handling of specially crafted arguments to the `idna.encode()` function, which could consume significant resources. This issue is related to CVE-2024-3651 but was not fully addressed in the previous remediation. The vulnerability is triggered by arbitrarily large inputs that would not occur in normal usage but may be passed to the library without preliminary input validation by the higher-level application.
- Vendor
- kjd
- Product
- idna
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Developers and administrators using Internationalized Domain Names in Applications (IDNA) for Python, especially those who handle domain names that may be passed to the `idna.encode()` function without proper validation.
Technical summary
The `idna.encode()` function in versions of IDNA for Python prior to 3.15 does not efficiently handle long inputs. Payloads such as a large number of Unicode characters can cause the function to consume significant resources, leading to a denial-of-service. This is due to the function's processing of inputs before rejecting them based on length. Starting with version 3.14, the function was modified to reject long inputs sooner to minimize resource consumption. Version 3.15 extended this approach to other functions.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 3.15 or later of Internationalized Domain Names in Applications (IDNA) for Python.
- Enforce a domain name length limit of 253 characters before passing the domain to the `idna.encode()` function.
Evidence notes
The vulnerability is documented in the official CVE record [cve-org] and detailed in the NVD [nvd]. A security advisory is available [ref-4].
Official resources
-
CVE-2026-45409 CVE record
CVE.org
-
CVE-2026-45409 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45409 was published on 2026-06-05T23:16:43.343Z and modified on 2026-06-08T15:02:26.293Z.