Description
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive memory/time consumption
Action: Immediate Patch
AI Analysis

Impact

A flaw in the pure‑Python PDF handling library allows a specially crafted PDF to trigger prolonged decoding and significant memory usage, causing the process to hang or crash. This abuse of array‑based streams leads to resource exhaustion, denying service to legitimate users.

Affected Systems

The vulnerability affects installations of the pypdf library distributed by py-pdf that use any version earlier than 6.9.1. Software relying on those older releases will process the overloaded stream and suffer the denial of service. Upgrading to 6.9.1 or later removes the problem.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no public exploits are known. Attackers must craft a malicious PDF with a large array‑based stream; no additional network exposure is required. The overall risk is moderate but significant for services that parse PDFs from untrusted sources.

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pypdf to version 6.9.1 or later

Generated by OpenCVE AI on March 23, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpxp-75px-xjcp pypdf has inefficient decoding of array-based streams
History

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Fri, 20 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
Title pypdf has inefficient decoding of array-based streams
Weaknesses CWE-400
CWE-407
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:07:16.458Z

Reserved: 2026-03-17T20:35:49.926Z

Link: CVE-2026-33123

cve-icon Vulnrichment

Updated: 2026-03-20T16:04:05.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:18.717

Modified: 2026-03-23T15:48:01.007

Link: CVE-2026-33123

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T09:09:12Z

Links: CVE-2026-33123 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:43Z

Weaknesses