CVE-2026-22691 - Vulnerability Details

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

py-pdf

pypdf

affected

Version	Status	Constraints
`< 6.6.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Py-pdf	Pypdf	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Subscriptions

Vendors	Products
Py-pdf Subscribe	Pypdf Subscribe
Pypdf Project Subscribe	Pypdf Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4f6g-68pf-7vhv	pypdf has possible long runtimes for malformed startxref

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
https://github.com/py-pdf/pypdf/pull/3594
https://github.com/py-pdf/pypdf/releases/tag/6.6.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
https://nvd.nist.gov/vuln/detail/CVE-2026-22691
https://www.cve.org/CVERecord?id=CVE-2026-22691

History

Thu, 22 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pypdf Project Pypdf Project pypdf
CPEs		cpe:2.3:a:pypdf_project:pypdf::::::::
Vendors & Products		Pypdf Project Pypdf Project pypdf
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Tue, 13 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-22691 https://www.cve.org/CVERecord?id=CVE-2026-22691
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 12 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Py-pdf Py-pdf pypdf
Vendors & Products		Py-pdf Py-pdf pypdf

Sat, 10 Jan 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Title		pypdf has possible long runtimes for malformed startxref
Weaknesses		CWE-1333 CWE-400
References		https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T04:46:12.423Z

Updated: 2026-01-12T16:48:53.503Z

Reserved: 2026-01-08T19:23:09.855Z

Link: CVE-2026-22691

Vulnrichment

Updated: 2026-01-12T16:48:50.916Z

NVD

Status : Analyzed

Published: 2026-01-10T05:16:08.680

Modified: 2026-01-22T15:01:05.967

Link: CVE-2026-22691

Redhat

Severity : Moderate

Publid Date: 2026-01-10T04:46:12Z

Links: CVE-2026-22691 - Bugzilla

OpenCVE Enrichment

Updated: 2026-01-12T14:36:39Z

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

Tracking

JSON object

JSON object

JSON object

JSON object

JSON object