UBUNTU-CVE-2026-45409

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-45409

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-45409

Upstream

CVE-2026-45409

Published

2026-06-05T23:16:00Z

Modified

2026-06-17T11:01:32.898639908Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the idna.encode() function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

Affected packages

Ubuntu:20.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6-2

2.6-2build1

2.8-1

2.8-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.8-1ubuntu0.1",
            "binary_name": "python-idna"
        },
        {
            "binary_version": "2.8-1ubuntu0.1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:22.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10-1

3.*

3.2-2

3.3-1

3.3-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.3-1ubuntu0.1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:24.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3-2

3.6-2

3.6-2ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.6-2ubuntu0.1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:25.10

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.10-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.10-1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.0+dfsg-1

25.1.1+dfsg-1

25.1.1+dfsg-1ubuntu1

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:26.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.10-1

3.10-1build1

3.11-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.11-1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:14.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:16.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0-3

2.0-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0-3ubuntu0.1~esm1",
            "binary_name": "pypy-idna"
        },
        {
            "binary_version": "2.0-3ubuntu0.1~esm1",
            "binary_name": "python-idna"
        },
        {
            "binary_version": "2.0-3ubuntu0.1~esm1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

8.1.1-2ubuntu0.6+esm11

8.1.1-2ubuntu0.6+esm12

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm12",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:18.04:LTS

python-idna

Package

Name: python-idna
Purl: pkg:deb/ubuntu/python-idna?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5-1

2.6-1

2.6-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.6-1ubuntu0.1~esm1",
            "binary_name": "pypy-idna"
        },
        {
            "binary_version": "2.6-1ubuntu0.1~esm1",
            "binary_name": "python-idna"
        },
        {
            "binary_version": "2.6-1ubuntu0.1~esm1",
            "binary_name": "python3-idna"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

9.0.1-2.3~ubuntu1.18.04.8+esm7

9.0.1-2.3~ubuntu1.18.04.8+esm8

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm8",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:20.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.10+esm2

20.0.2-5ubuntu1.11

20.0.2-5ubuntu1.11+esm2

20.0.2-5ubuntu1.11+esm3

20.0.2-5ubuntu1.11+esm4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm4",
            "binary_name": "python3-pip"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:22.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

21.*

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.0.2+dfsg-1ubuntu0.1

22.0.2+dfsg-1ubuntu0.2

22.0.2+dfsg-1ubuntu0.3

22.0.2+dfsg-1ubuntu0.4

22.0.2+dfsg-1ubuntu0.5

22.0.2+dfsg-1ubuntu0.6

22.0.2+dfsg-1ubuntu0.7

22.0.2+dfsg-1ubuntu0.7+esm1

22.0.2+dfsg-1ubuntu0.7+esm2

22.0.2+dfsg-1ubuntu0.7+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7+esm3",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:24.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.2+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-1ubuntu1

24.0+dfsg-1ubuntu1.1

24.0+dfsg-1ubuntu1.2

24.0+dfsg-1ubuntu1.3

24.0+dfsg-1ubuntu1.3+esm1

24.0+dfsg-1ubuntu1.3+esm2

24.0+dfsg-1ubuntu1.3+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3+esm3",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"

Ubuntu:Pro:26.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.1.1+dfsg-1ubuntu2

25.1.1+dfsg-1ubuntu2+esm1

25.1.1+dfsg-1ubuntu2+esm2

25.1.1+dfsg-1ubuntu2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2+esm3",
            "binary_name": "python3-pip-whl"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-45409.json"