Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

The flaw in pypdf stems from an inefficient implementation of the ASCIIHexDecode filter. When it processes a PDF that contains this filter, the decoder can consume excessive CPU time, which leads to prolonged runtimes for the application. This behavior can be exploited by an attacker to render the application unresponsive, effectively causing a denial of service condition.

Affected Systems

Affected installations include any use of the py-pdf:pypdf library predating release 6.7.5. The vulnerability exists across all platforms where the library is used to parse PDFs, regardless of the programming language that hosts it. Updates to version 6.7.5 or later eliminate the inefficiency.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% points to a low chance of exploitation in the wild. The vulnerability does not require privileged access or authentication; an adversary can trigger it simply by supplying a malicious PDF to an application that depends on pypdf. Because the impact is resource exhaustion, the attack vector is inferred to be an untrusted PDF input that is processed by the library in a production environment.

Generated by OpenCVE AI on April 16, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.7.5 or newer.
  • If upgrading is not possible, configure the application to reject PDFs that use the /ASCIIHexDecode filter or sanitize the stream contents before decoding.
  • Apply operating‑system or container resource limits (CPU, memory) to pypdf processes to contain any potential runaway decoding.

Generated by OpenCVE AI on April 16, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9m86-7pmv-2852 pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams
History

Tue, 10 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 06 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
Title pypdf: Inefficient decoding of ASCIIHexDecode streams
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:05:28.630Z

Reserved: 2026-03-03T14:25:19.246Z

Link: CVE-2026-28804

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:00.785Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T07:16:01.220

Modified: 2026-03-10T19:39:37.180

Link: CVE-2026-28804

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-06T06:46:28Z

Links: CVE-2026-28804 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses