Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
Published: 2026-03-10
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Patch
AI Analysis

Impact

A flaw in the pypdf library allows an attacker to craft a PDF file that, when parsed, forces the library to preallocate memory based on an extremely large /Length value that does not match the actual data length. This mismatch can cause the program to consume a disproportionate amount of RAM, potentially leading to a denial‑of‑service. The weakness corresponds to resource exhaustion (CWE‑770).

Affected Systems

The vulnerability impacts all installations of the public pypdf library running any version prior to 6.8.0, on any operating system where the library is used to process PDF files.

Risk and Exploitability

The vulnerability has a CVSS score of 6.8, indicating moderate severity, and an EPSS below 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a malicious PDF file that is parsed by an application using pypdf.

Generated by OpenCVE AI on April 16, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.8.0 or newer, which includes the fix.
  • Implement validation to reject or constrain PDFs whose /Length values exceed a reasonable threshold before invoking pypdf.
  • Configure the application to monitor memory usage during PDF parsing and enforce limits to prevent resource exhaustion.

Generated by OpenCVE AI on April 16, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqmh-ppp3-xvm7 pypdf: manipulated stream length values can exhaust RAM
History

Tue, 17 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
Title pypdf: manipulated stream length values can exhaust RAM
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:26.902Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31826

cve-icon Vulnrichment

Updated: 2026-03-11T15:51:56.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:20.483

Modified: 2026-03-17T20:52:08.673

Link: CVE-2026-31826

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T21:36:52Z

Links: CVE-2026-31826 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses