Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pypdf, a pure‑Python PDF manipulation library, contains a vulnerability that allows an attacker to craft a PDF document with a cross‑reference stream whose /W entry consists solely of zeros and whose /Size value is very large. When the library processes this stream it spends an inordinate amount of time iterating over the /Size entries, potentially exhausting CPU or memory resources. This results in a denial of service because the library becomes unresponsive for the remainder of the code path that handles the PDF. The weakness is a processing error (CWE‑834).

Affected Systems

The affected product is py‑pdf:pypdf, specifically any version earlier than 6.12.0. Version 6.12.0 and later include the fix and are not affected.

Risk and Exploitability

The CVSS score of 5.1 places this vulnerability in the moderate severity range. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The likely attack scenario involves an adversary delivering a crafted PDF to a system that loads or renders PDFs via pypdf, either as a local user or through a remote service that accepts user‑supplied PDFs. The exploit path does not require elevated privileges, but it does require the vulnerable library to process the malicious PDF. While the risk is mitigated by the moderate CVSS score, environments that expect high availability or that use pypdf to process untrusted documents should consider the potential impact of prolonged run times. This vulnerability is best mitigated through an update rather than a temporary workaround.

Generated by OpenCVE AI on May 28, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf version 6.12.0 or newer, which contains the fix for the cross‑reference stream issue.
  • Add validation logic before processing PDFs to detect suspicious cross‑reference streams, such as /W entries of [0 0 0] combined with large /Size values. If detected, reject or sandbox the PDF.
  • Enforce strict access controls around any code paths that render or manipulate PDFs to limit the impact of a potential denial‑of‑service attack.

Generated by OpenCVE AI on May 28, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Title pypdf: Possible long runtimes for zero-only width values in cross-reference streams
Weaknesses CWE-834
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:50:41.829Z

Reserved: 2026-05-20T23:12:43.031Z

Link: CVE-2026-48156

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:29.020

Modified: 2026-05-28T16:16:29.020

Link: CVE-2026-48156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses