Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
Published: 2026-02-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive runtime
Action: Apply Patch
AI Analysis

Impact

pypdf, a pure‑Python PDF library, contains a flaw that allows an attacker to craft a PDF with a malformed /FlateDecode stream. When pypdf processes such a stream it performs byte‑by‑byte decompression, leading to arbitrarily long runtimes and potentially exhausting CPU resources. This resource exhaustion vulnerability is reflected in CWE‑1050 and CWE‑770 and can cause an application using pypdf to become unresponsive or crash.

Affected Systems

The affected product is the pypdf library distributed under the py‑pdf:pypdf identifier. All releases prior to version 6.7.1 are vulnerable. Applications that import or otherwise invoke pypdf before the 6.7.1 release are susceptible.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a malicious PDF to a system that processes PDFs via pypdf. Local or remote execution is possible if the target application accepts untrusted PDF input. Mitigating controls such as fixing the library version or enforcing runtime limits can reduce this risk.

Generated by OpenCVE AI on April 17, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pypdf to version 6.7.1 or later.
  • Set a maximum timeout or CPU quota for PDF processing functions that use pypdf.
  • Validate and sanitize PDF streams before passing them to pypdf, ensuring /FlateDecode streams are well‑formed.

Generated by OpenCVE AI on April 17, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9mvc-8737-8j8h pypdf possibly has long runtimes for malformed FlateDecode streams
History

Thu, 26 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
Title pypdf possibly has long runtimes for malformed FlateDecode streams
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:47:02.304Z

Reserved: 2026-02-17T03:08:23.491Z

Link: CVE-2026-27026

cve-icon Vulnrichment

Updated: 2026-02-24T18:46:53.788Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T22:16:29.023

Modified: 2026-02-24T15:13:39.513

Link: CVE-2026-27026

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T21:12:33Z

Links: CVE-2026-27026 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses