Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pypdf, a pure‑Python PDF manipulation library, contains a vulnerability that allows an attacker to craft a PDF document with a cross‑reference stream whose /W entry consists solely of zeros and whose /Size value is very large. When the library processes this stream it spends an inordinate amount of time iterating over the /Size entries, potentially exhausting CPU or memory resources. This results in a denial of service because the library becomes unresponsive for the remainder of the code path that handles the PDF. The weakness involves processing errors, including CWE‑606 and CWE‑834.

Affected Systems

The affected product is py‑pdf:pypdf, specifically any version earlier than 6.12.0. Version 6.12.0 and later include the fix and are not affected.

Risk and Exploitability

The CVSS score of 5.1 places this vulnerability in the moderate severity range. EPSS score of less than 1% indicates a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. The likely attack scenario involves an adversary delivering a crafted PDF to a system that loads or renders PDFs via pypdf, either as a local user or through a remote service that accepts user‑supplied PDFs. The exploit path does not require elevated privileges, but it does require the vulnerable library to process the malicious PDF. While the risk is mitigated by the moderate CVSS score, environments that expect high availability or that use pypdf to process untrusted documents should consider the potential impact of prolonged run times. This vulnerability is best mitigated through an update rather than a temporary workaround.

Generated by OpenCVE AI on June 5, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf version 6.12.0 or newer, which contains the fix for the cross‑reference stream issue.
  • Add validation logic before processing PDFs to detect suspicious cross‑reference streams, such as /W entries of [0 0 0] combined with large /Size values. If detected, reject or sandbox the PDF.
  • Enforce strict access controls around any code paths that render or manipulate PDFs to limit the impact of a potential denial‑of‑service attack.

Generated by OpenCVE AI on June 5, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-248m-82v9-q6g6 pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
History

Fri, 05 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Low

Sat, 30 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Title pypdf: Possible long runtimes for zero-only width values in cross-reference streams
Weaknesses CWE-834
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:08:20.806Z

Reserved: 2026-05-20T23:12:43.031Z

Link: CVE-2026-48156

cve-icon Vulnrichment

Updated: 2026-05-30T02:08:15.609Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T16:16:29.020

Modified: 2026-05-29T19:38:49.830

Link: CVE-2026-48156

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T14:50:41Z

Links: CVE-2026-48156 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:00:06Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-834

    Excessive Iteration