Description
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Published: 2026-04-22
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

pypdf, a pure‑python PDF library, contains a flaw that allows an attacker to craft a PDF with an image decoded by /FlateDecode and exaggerated dimension values. When the library processes such an image, it allocates an enormous amount of RAM to hold the decoded pixels, which can exhaust the process memory and lead to a crash or unresponsiveness. The issue maps to unchecked resource allocation weaknesses, namely CWE‑770.

Affected Systems

All installations of the pypdf library before version 6.10.2 are vulnerable. The fix was introduced in release 6.10.2; therefore, any application that uses an older pypdf version and parses PDFs from untrusted sources is at risk.

Risk and Exploitability

With a CVSS score of 4.8, the vulnerability is considered moderate. The EPSS score is reported as less than 1 %, implying a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that the most likely attack scenario involves an adversary delivering a malicious PDF to an application that uses pypdf; the attacker does not need privileged access, but can cause resource exhaustion locally, potentially impacting the availability of services that depend on the library.

Generated by OpenCVE AI on April 28, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.10.2 or newer.
  • If upgrading is not immediately feasible, apply the patch changes from commit ac734dab4eef92bcce50d503949b4d9887d89f11 manually to the affected code.
  • Add process‑level resource limits for any application that parses PDFs, such as setting a maximum memory cap or deploying the process in a container with constrained RAM.

Generated by OpenCVE AI on April 28, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x284-j5p8-9c5p pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Sat, 25 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Title pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Weaknesses CWE-789
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:21:47.589Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41314

cve-icon Vulnrichment

Updated: 2026-04-23T14:21:36.340Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T22:16:32.367

Modified: 2026-04-27T19:29:40.690

Link: CVE-2026-41314

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T21:08:14Z

Links: CVE-2026-41314 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses