Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
Published: 2026-02-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

pypdf, a pure‑Python PDF library, contains a flaw that allows an attacker to craft a PDF using the RunLengthDecode filter to trigger disproportionate memory consumption. The vulnerability is associated with CWE‑400 and CWE‑770 and causes a denial‑of‑service condition when the library parses malicious PDF content, potentially exhausting the process’s RAM and leading to application crashes. The impact is confined to the memory resources of the affected process and does not directly compromise data confidentiality or integrity.

Affected Systems

The py‑pdf project’s pypdf library, versions earlier than 6.7.4, is vulnerable. Any environment that imports pypdf to parse PDF files—such as document viewers, web services that render PDFs, or batch processing scripts—may be affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, and the EPSS score of < 1% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must supply a specially crafted PDF to an application using the vulnerable library; therefore the inferred attack vector is local or remote through an application that accepts untrusted PDF input. Successful exploitation results in resource exhaustion, degrading availability, but does not provide code execution or data exfiltration.

Generated by OpenCVE AI on April 16, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.7.4 or later
  • If an immediate upgrade is not feasible, merge the changes from PR #3664 to mitigate the issue
  • Implement input validation or sandboxing to restrict the size and depth of RunLengthDecode streams during PDF parsing

Generated by OpenCVE AI on April 16, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2v5-7jq9-h8cg pypdf: Manipulated RunLengthDecode streams can exhaust RAM
History

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 03 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

threat_severity

Moderate

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
Title Manipulated RunLengthDecode streams can exhaust RAM
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T20:28:45.592Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28351

cve-icon Vulnrichment

Updated: 2026-03-03T20:28:41.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T21:16:19.177

Modified: 2026-03-03T18:36:06.290

Link: CVE-2026-28351

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-27T20:59:16Z

Links: CVE-2026-28351 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses