CVE-2026-45409
Denial-of-service vulnerability in idna (PyPI)

Denial-of-service No known exploit

What is CVE-2026-45409 About?

This denial-of-service vulnerability in the idna.encode() function can consume significant system resources when processing specially crafted inputs. It allows an attacker to cause resource exhaustion and potentially crash the application. Exploiting this vulnerability requires sending specific long input strings to the affected function, making it moderately easy to leverage.

Affected Software

idna <3.15

Technical Details

The vulnerability arises from insufficient input validation within the idna.encode() function. Specifically, payloads like "\u0660" * N or "\u30fb" * N + "\u6f22" cause the valid_contexto function to be heavily utilized prior to length rejection. For large values of 'N', this results in a prolonged processing time as the function attempts to validate the input, leading to resource exhaustion and a denial-of-service condition before the input's excessive length is recognized and rejected.

What is the Impact of CVE-2026-45409?

Successful exploitation may allow attackers to cause a denial-of-service condition due to excessive resource consumption, leading to system unresponsiveness or crashes.

What is the Exploitability of CVE-2026-45409?

Exploitation involves crafting a specially formatted, excessively long input string to the idna.encode() function. This is of moderate complexity. No authentication is explicitly required, assuming the attacker can feed arbitrary data to the function. Privilege requirements are low, as the attack vectors involve application-level input. The vulnerability is remote if the application exposes the idna.encode() function to external input, or local if it processes local files/inputs. A key constraint is that the input must be sufficiently long to trigger the resource exhaustion, and applications without preliminary input validation at higher levels are at higher risk.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-45409?

Available Upgrade Options

  • idna
    • <3.15 → Upgrade to 3.15

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-45409?

Similar Vulnerabilities: CVE-2024-3651 , CVE-2021-36195 , CVE-2020-8037 , CVE-2020-8493 , CVE-2019-15891

All Rights reserved 2025
Privacy Policy