Description
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
Published: 2026-04-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Immediate Patch
AI Analysis

Impact

Manipulated XMP metadata entity declarations in the pypdf library cause the PDF parsing process to allocate large amounts of memory, leading to resource exhaustion. The vulnerability is an instance of improper resource management (CWE-776) and can produce a denial‑of‑service condition if an attacker feeds a malicious PDF file to a system that imports it with this library.

Affected Systems

The vulnerability affects all installations of the py-pdf:pypdf library with a version prior to 6.10.0. Any system that processes PDF documents using this library is potentially exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The attack requires only the ability to supply a corrupted PDF to the application; thus, services that accept user‑supplied PDF files or libraries that process PDFs on the internet are the most likely vectors. If exploited, the victim may experience high memory consumption and possible crash or suspension of the process, impacting availability of the application.

Generated by OpenCVE AI on April 17, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf version 6.10.0 or later as the vulnerability has been fixed.
  • If a library upgrade cannot be performed immediately, run PDF parsing in a sandboxed or isolated process and enforce strict memory limits to contain potential exhaustion.
  • Pre‑validate or sanitize PDFs to limit XMP metadata complexity before delegating to pypdf, rejecting documents that exceed reasonable size thresholds.

Generated by OpenCVE AI on April 17, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3crg-w4f6-42mx pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
Title pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
Weaknesses CWE-776
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:42:05.059Z

Reserved: 2026-04-10T17:31:45.787Z

Link: CVE-2026-40260

cve-icon Vulnrichment

Updated: 2026-04-17T18:41:55.862Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T01:17:39.733

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T02:30:07Z

Weaknesses