Description
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Published: 2026-03-26
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (infinite loop)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the pypdf library, a pure-Python PDF manipulation package. Versions earlier than 6.9.2 allow a malicious PDF to trigger an infinite loop while the library attempts to recover a dictionary object during stream parsing. The loop consumes CPU and memory until the process terminates, resulting in denial of service. The flaw corresponds to CWE-835: Infinite Loop.

Affected Systems

All installations of py-pdf:pypdf that run a version older than 6.9.2 and use non-strict mode are affected. Any application that imports pypdf to read or manipulate PDF files can be impacted. Upgrading to 6.9.2 or later mitigates the issue.

Risk and Exploitability

The CVSS score of 4.6 denotes moderate severity, but the practical risk of exhausting system resources and causing application downtime is significant. No publicly disclosed exploits exist and the flaw is not listed in CISA’s KEV catalog. The only prerequisite is delivering a crafted PDF to the library, making the attack vector simple and likely to be used against services that process untrusted PDFs. Although EPSS data is unavailable, the overall risk warrants immediate attention.

Generated by OpenCVE AI on March 27, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.9.2 or later.
  • If an upgrade is not possible, apply the changes from PR 3693 manually to your local copy.
  • Process PDFs in strict mode when feasible to avoid the recovery path that triggers the loop.
  • Monitor application resource usage and consider validating input file size to limit potential impact.

Generated by OpenCVE AI on March 27, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87mj-5ggw-8qc3 pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Title pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T23:58:42.776Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33699

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:19.147

Modified: 2026-03-27T01:16:19.147

Link: CVE-2026-33699

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T23:58:42Z

Links: CVE-2026-33699 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:40Z

Weaknesses