CVE-2026-27628 - Vulnerability Details

- pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.

Published: 2026-02-25

Score: 1.2 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

pypdf, a pure-Python PDF library, contains an infinite-loop vulnerability triggered when loading a PDF with circular /Prev entries in its cross-reference streams. An attacker who supplies such a crafted PDF can cause the library to loop indefinitely while reading the file, exhausting system resources and resulting in a denial-of-service condition. The weakness corresponds to CWE‑835 and only requires the ability to load a malicious PDF; no elevated privileges or local resources are needed.

Affected Systems

This issue affects any deployment of py-pdf:pypdf prior to version 6.7.2. Users running earlier releases, including those integrating pypdf into custom applications or data pipelines, are vulnerable whenever they process PDFs that may contain circular cross-reference references.

Risk and Exploitability

The vulnerability has a low CVSS score of 1.2 and an EPSS below 1 %, indicating rare exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote file load, as the malicious PDF must be loaded by the application; thus, exposure is limited to environments where untrusted PDFs are processed. Remedying the issue mitigates the risk of a denial-of-service event.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

py-pdf

pypdf

affected

Version	Status	Constraints
`< 6.7.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Py-pdf

Pypdf

100%

Version	Status	Scheme	Platform
`[0,6.7.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the library to pypdf 6.7.2 or later to eliminate the infinite-loop condition.
If an upgrade is not immediately possible, apply the patch commits referenced in the advisories (e.g., commit 0fbd9593 or f0a462d3) to the source before building the library.
Limit or sandbox any process that loads PDFs from untrusted sources, or replace pypdf with a more robust PDF parser that checks for circular cross-reference entries.

Generated by OpenCVE AI on April 16, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-2rw7-x74f-jg35	pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/py-pdf/pypdf/commit/0fbd95938724ad2d72688d4112207c0590f0483f
https://github.com/py-pdf/pypdf/commit/f0a462d36971cf077d74492a348d0d06fd60ea4d
https://github.com/py-pdf/pypdf/issues/3654
https://github.com/py-pdf/pypdf/security/advisories/GHSA-2rw7-x74f-jg35
https://nvd.nist.gov/vuln/detail/CVE-2026-27628
https://www.cve.org/CVERecord?id=CVE-2026-27628

History

Fri, 27 Feb 2026 20:00:00 +0000

Type	Values Removed	Values Added
References		https://github.com/py-pdf/pypdf/commit/f0a462d36971cf077d74492a348d0d06fd60ea4d

Thu, 26 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-27628 https://www.cve.org/CVERecord?id=CVE-2026-27628
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pypdf Project Pypdf Project pypdf
CPEs		cpe:2.3:a:pypdf_project:pypdf::::::::
Vendors & Products		Pypdf Project Pypdf Project pypdf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 25 Feb 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Py-pdf Py-pdf pypdf
Vendors & Products		Py-pdf Py-pdf pypdf

Wed, 25 Feb 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
Title		pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
Weaknesses		CWE-835
References		https://github.com/py-pdf/pypdf/commit/0fbd95938724ad2d72688d4112207c0590f0483f https://github.com/py-pdf/pypdf/issues/3654 https://github.com/py-pdf/pypdf/security/advisories/GHSA-2rw7-x74f-jg35
Metrics		cvssV4_0 `{'score': 1.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}`

Subscriptions

Py-pdf Pypdf

Pypdf Project Pypdf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T02:45:37.543Z

Updated: 2026-02-27T19:49:02.019Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27628

Vulnrichment

Updated: 2026-02-25T15:58:18.196Z

NVD

Status : Modified

Published: 2026-02-25T03:16:06.513

Modified: 2026-02-27T20:21:38.617

Link: CVE-2026-27628

Redhat

Severity : Moderate

Publid Date: 2026-02-25T02:45:37Z

Links: CVE-2026-27628 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object