Bug 2498560 - CVE-2026-45409 python-idna: idna: Denial of Service via specially crafted long inputs [fedora-all]
Summary: CVE-2026-45409 python-idna: idna: Denial of Service via specially crafted lon...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-idna
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Lumír Balhar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["5a12c940-6faf-4925-a853-0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-09 16:31 UTC by Michalis Papadopoullos
Modified: 2026-07-12 01:11 UTC (History)
4 users (show)

Fixed In Version: python-idna-3.18-1.fc44
Clone Of:
Environment:
Last Closed: 2026-07-12 01:11:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michalis Papadopoullos 2026-07-09 16:31:59 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

Comment 1 Fedora Update System 2026-07-10 10:16:36 UTC
FEDORA-2026-6215e65f6c (python-idna-3.18-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6215e65f6c

Comment 2 Fedora Update System 2026-07-10 10:16:38 UTC
FEDORA-2026-822c07add4 (python-idna-3.18-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-822c07add4

Comment 3 Fedora Update System 2026-07-11 01:33:44 UTC
FEDORA-2026-822c07add4 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-822c07add4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-822c07add4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2026-07-11 01:47:05 UTC
FEDORA-2026-6215e65f6c has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-6215e65f6c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-6215e65f6c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2026-07-12 01:11:33 UTC
FEDORA-2026-822c07add4 (python-idna-3.18-1.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.