Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Published: 2026-01-10
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (resource exhaustion)
Action: Patch
AI Analysis

Impact

pypdf, a pure‑Python PDF library, contains a flaw that allows an attacker to craft a PDF with a malformed startxref section. When the library processes such a file in non‑strict mode, it may spend an excessive amount of time rebuilding the cross‑reference table, especially if many whitespace characters are present. This unusually long runtime can consume CPU resources and potentially deny service to legitimate users.

Affected Systems

Any system that uses the pypdf package prior to version 6.6.0 is affected. The vulnerability is present in all releases of the library bundled with the py‑pdf vendor and applies only to the non‑strict reading mode. Applications that import pypdf to parse user‑supplied PDFs are at risk unless they explicitly enforce strict mode or otherwise protect the parsing operation.

Risk and Exploitability

The CVSS score is 2.7, indicating a moderate impact. At the time of assessment the exploitation probability is very low (<1 %) and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to supply the crafted PDF to the target system; if accepted, the long reconstruction phase could lead to denial of service. The issue has already been fixed in version 6.6.0, so upgrading provides a definitive mitigation.

Generated by OpenCVE AI on April 18, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pypdf to version 6.6.0 or later
  • If an upgrade is not yet possible, reject or sanitise PDFs that contain extensive whitespace before passing them to pypdf
  • Configure applications to use pypdf’s strict mode to avoid the vulnerable code path

Generated by OpenCVE AI on April 18, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f6g-68pf-7vhv pypdf has possible long runtimes for malformed startxref
History

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 13 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Sat, 10 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Title pypdf has possible long runtimes for malformed startxref
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:48:53.503Z

Reserved: 2026-01-08T19:23:09.855Z

Link: CVE-2026-22691

cve-icon Vulnrichment

Updated: 2026-01-12T16:48:50.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T05:16:08.680

Modified: 2026-01-22T15:01:05.967

Link: CVE-2026-22691

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T04:46:12Z

Links: CVE-2026-22691 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses