Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
Published: 2026-02-26
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

An attacker can craft a PDF that, when processed by a program using the pypdf library, causes the library to allocate an unusually large amount of memory by exploiting the handling of an XFA stream compressed with /FlateDecode. The flaw is triggered when the code accesses the xfa property of a Reader or Writer, leading to a memory‑management error (CWE‑1050) and a resource‑exhaustion vulnerability (CWE‑400). The result is exhaustion of RAM, a process crash, and a denial of service; there is no evidence of arbitrary code execution or data leakage.

Affected Systems

All releases of the pypdf library older than version 6.7.3 are vulnerable. The project is py‑pdf:pypdf, and the fix was introduced in release 6.7.3. Any deployment that imports and uses pypdf before that version and accesses the xfa property on PDFs is affected.

Risk and Exploitability

The CVSS base score of 6.6 indicates a moderate level of severity, and the EPSS score of less than 1 % denotes a low likelihood of this exploit appearing in the wild. The vulnerability is not listed in the CISA KEV catalog. A flaw is exercised when malicious PDF content is loaded and the xfa property is accessed, which is a typical path for document parsing or form‑processing applications that use pypdf. Consequently, an attacker who can supply such a PDF to a vulnerable application may cause a denial of service through memory exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pypdf to version 6.7.3 or later to obtain the official fix.
  • If an upgrade is not immediately feasible, apply the manual patch from commit 7a4c8246ed48d9d328fb596942271da47b6d109c to correct FlateDecode handling in XFA streams.
  • Adjust application logic to avoid accessing the xfa property on untrusted PDFs, and implement input validation or resource‑usage limits to detect abnormal memory consumption.

Generated by OpenCVE AI on April 18, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x7hp-r3qg-r3cj pypdf: Manipulated FlateDecode XFA streams can exhaust RAM
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
Title pypdf: Manipulated FlateDecode XFA streams can exhaust RAM
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:16:08.680Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27888

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T01:16:25.470

Modified: 2026-02-27T17:26:35.363

Link: CVE-2026-27888

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T00:42:00Z

Links: CVE-2026-27888 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses