CVE-2026-24688 - Vulnerability Details

- pypdf has possible Infinite Loop when processing outlines/bookmarks

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.

Published: 2026-01-27

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to craft a PDF that, when processed by pypdf, causes the library to enter an infinite loop while handling outlines and bookmarks. The loop can consume significant CPU and memory, potentially exhausting system resources and rendering the application unresponsive. The flaw is a classic infinite‑loop weakness and is classified as CWE‑835. There is no known path to arbitrary code execution or data disclosure.

Affected Systems

The issue affects the py-pdf pypdf library in any version prior to 6.6.2. All installations using older releases are vulnerable unless they have applied the manual changes from the referenced pull request.

Risk and Exploitability

The calculated CVSS score is 5.1, indicating a moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a specially crafted PDF that is parsed by the vulnerable library, which typically occurs in applications that load PDFs from untrusted sources. If such parsing is performed in a high‑privilege context, the resulting denial of service could be critical to business operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

py-pdf

pypdf

affected

Version	Status	Constraints
`< 6.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Py-pdf	Pypdf	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the pypdf library to version 6.6.2 or later
If an upgrade cannot be performed immediately, apply the changes from pull request #3610 to your local copy of the library
Limit or sandbox processing of PDFs coming from untrusted sources to reduce the impact of a denial‑of‑service attack

Generated by OpenCVE AI on April 18, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-2q4j-m29v-hq73	pypdf has possible Infinite Loop when processing outlines/bookmarks

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1
https://github.com/py-pdf/pypdf/pull/3610
https://github.com/py-pdf/pypdf/releases/tag/6.6.2
https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73
https://nvd.nist.gov/vuln/detail/CVE-2026-24688
https://www.cve.org/CVERecord?id=CVE-2026-24688

History

Wed, 25 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

Fri, 06 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pypdf Project Pypdf Project pypdf
CPEs		cpe:2.3:a:pypdf_project:pypdf::::::::
Vendors & Products		Pypdf Project Pypdf Project pypdf
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 29 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-24688 https://www.cve.org/CVERecord?id=CVE-2026-24688
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Wed, 28 Jan 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Py-pdf Py-pdf pypdf
Vendors & Products		Py-pdf Py-pdf pypdf

Tue, 27 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
Title		pypdf has possible Infinite Loop when processing outlines/bookmarks
Weaknesses		CWE-835
References		https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1 https://github.com/py-pdf/pypdf/pull/3610 https://github.com/py-pdf/pypdf/releases/tag/6.6.2 https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Py-pdf Pypdf

Pypdf Project Pypdf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-27T19:44:06.173Z

Updated: 2026-01-27T20:51:48.030Z

Reserved: 2026-01-23T20:40:23.389Z

Link: CVE-2026-24688

Vulnrichment

Updated: 2026-01-27T20:35:55.665Z

NVD

Status : Analyzed

Published: 2026-01-27T20:16:24.193

Modified: 2026-02-25T17:40:23.320

Link: CVE-2026-24688

Redhat

Severity : Moderate

Publid Date: 2026-01-27T19:44:06Z

Links: CVE-2026-24688 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object