CVE-2026-22690 - Vulnerability Details

- pypdf has possible long runtimes for missing /Root object with large /Size values

Description

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Published: 2026-01-10

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A PDF parsing flaw in the open‑source pypdf library allows an attacker to craft a malicious PDF that, when processed in non‑strict mode, can cause unusually long runtimes by omitting the /Root entry while specifying a very large /Size value. The resulting delay does not compromise confidentiality or integrity, but it can consume significant CPU resources, effectively leading to a denial‑of‑service condition for the process or application using the library. The weakness maps to CWE‑400, which describes unbounded resource usage.

Affected Systems

The vulnerability affects the pypdf project, specifically versions prior to 6.6.0. All installations that rely on the non‑strict reading mode of pypdf before this release are susceptible. The issue was addressed in release 6.6.0 and later.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The attack vector requires an attacker to supply a crafted PDF file to the vulnerable process; no privileged access or additional conditions are specified in the description. Because the issue is limited to non‑strict mode, systems that have not configured strict parsing may remain at risk. The vulnerability is not listed in the CISA KEV catalog, further indicating its limited impact profile.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

py-pdf

pypdf

affected

Version	Status	Constraints
`< 6.6.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Py-pdf	Pypdf	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade pypdf to version 6.6.0 or later
Configure the library to use strict reading mode to avoid the long runtime scenario
Validate or sanitize PDF inputs before passing them to pypdf

Generated by OpenCVE AI on April 18, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4xc4-762w-m6cg	pypdf has possible long runtimes for missing /Root object with large /Size values

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
https://github.com/py-pdf/pypdf/pull/3594
https://github.com/py-pdf/pypdf/releases/tag/6.6.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
https://nvd.nist.gov/vuln/detail/CVE-2026-22690
https://www.cve.org/CVERecord?id=CVE-2026-22690

History

Thu, 22 Jan 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pypdf Project Pypdf Project pypdf
CPEs		cpe:2.3:a:pypdf_project:pypdf::::::::
Vendors & Products		Pypdf Project Pypdf Project pypdf
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Wed, 14 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-22690 https://www.cve.org/CVERecord?id=CVE-2026-22690
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 12 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Py-pdf Py-pdf pypdf
Vendors & Products		Py-pdf Py-pdf pypdf

Sat, 10 Jan 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Title		pypdf has possible long runtimes for missing /Root object with large /Size values
Weaknesses		CWE-400
References		https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}`

Subscriptions

Py-pdf Pypdf

Pypdf Project Pypdf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T04:41:20.773Z

Updated: 2026-01-12T17:07:00.323Z

Reserved: 2026-01-08T19:23:09.854Z

Link: CVE-2026-22690

Vulnrichment

Updated: 2026-01-12T17:06:56.573Z

NVD

Status : Analyzed

Published: 2026-01-10T05:16:01.847

Modified: 2026-01-22T15:35:23.627

Link: CVE-2026-22690

Redhat

Severity : Moderate

Publid Date: 2026-01-10T04:41:20Z

Links: CVE-2026-22690 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object