Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
Published: 2026-02-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A crafted PDF containing unusually large values in the /ToUnicode stream can cause the pypdf library to consume excessive memory and run for extended periods during parsing. This vulnerability is a classic resource‑exhaustion flaw that can interrupt normal processing, potentially leading to application crashes or degraded performance. The weakness aligns with CWE‑1050 (Resource Exhaustion) and CWE‑834 (Unchecked Input Leading to System Failure).

Affected Systems

All versions of the pypdf Python library released before 6.7.1 are vulnerable. Applications that import and use pypdf to read or extract text from PDF documents are at risk unless they upgrade to the fixed 6.7.1 release or later.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of active exploitation as of the latest assessment. This vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a malicious PDF file to a system that processes it with pypdf, either locally or through a web interface that accepts user‑supplied PDFs. The impact is limited to the device or application performing the parsing; it does not directly grant code execution or data exfiltration.

Generated by OpenCVE AI on April 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf package to version 6.7.1 or later, which removes the vulnerability.
  • If an upgrade is not immediately feasible, sanitize incoming PDFs to remove or truncate large /ToUnicode streams before passing them to pypdf, or use an alternative library for problematic files.
  • Implement application‑level memory and time limits when invoking pypdf, ensuring that resource exhaustion cannot bring down the service.

Generated by OpenCVE AI on April 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wgvp-vg3v-2xq3 pypdf has possible long runtimes/large memory usage for large /ToUnicode streams
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
Title pypdf has possible long runtimes/large memory usage for large /ToUnicode streams
Weaknesses CWE-834
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:40:02.655Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27025

cve-icon Vulnrichment

Updated: 2026-02-24T18:39:54.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T22:16:28.850

Modified: 2026-02-24T15:16:48.360

Link: CVE-2026-27025

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T21:11:20Z

Links: CVE-2026-27025 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses