Description
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Published: 2026-04-22
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the pypdf library allows an attacker to craft a PDF containing a /FlateDecode stream with a /Predictor value other than 1 and large predictor parameters. When such a stream is processed, the library allocates excessive amounts of RAM, ultimately exhausting system memory. Because the library is pure Python, the memory exhaustion manifests as a denial of service in any process that parses the malicious PDF. This flaw is classified as CWE‑770 and CWE‑789, resource exhaustion.

Affected Systems

Any installation of the py-pdf pypdf library with a version earlier than 6.10.2 is vulnerable. The flaw exists in the default PDF parser used by applications that import the library. No specific operating systems are mentioned, but any environment running Python and using pypdf for PDF handling is affected.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate risk. The EPSS score is 0.00014 (less than 1%), and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to supply a malicious PDF that is parsed by an application using the vulnerable library. As the PDF is a local input, the attack vector is inferred to be file‑based or local process input rather than remote network exploitation.

Generated by OpenCVE AI on April 28, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf version 6.10.2 or newer, which includes the fix for this resource‑exhaustion issue.
  • If an upgrade cannot be performed immediately, apply the patch changes manually as described in the GitHub commit to constrain predictor parameters and prevent excessive memory allocation.
  • Review any third‑party code that processes PDFs with pypdf and enforce validation to reject streams with predictor values greater than 1 or unusually large predictor parameters, thereby mitigating accidental exploitation.

Generated by OpenCVE AI on April 28, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gw9-cf7v-778f pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
History

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Title pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Weaknesses CWE-789
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:45:30.296Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41312

cve-icon Vulnrichment

Updated: 2026-04-23T13:45:25.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T22:16:32.093

Modified: 2026-04-27T19:31:03.477

Link: CVE-2026-41312

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T21:02:53Z

Links: CVE-2026-41312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses