Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.
Published: 2026-05-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in pypdf allows an attacker to craft a PDF containing XMP metadata streams filled with large or excessive elements. When a vulnerable version of the library parses such a file, it allocates memory proportional to the size of the metadata, which can cause the process to consume large amounts of RAM and potentially crash or become unresponsive. The primary impact is a denial‑of‑service through memory exhaustion. This weakness is a classic example of resource exhaustion as identified by CWE‑770.

Affected Systems

All installations of the py-pdf pypdf library older than version 6.12.1 are affected. The issue was fixed in release 6.12.1 and later. Any application or script that imports pypdf and processes PDFs from untrusted sources could be impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, so the exploitation probability is not quantified, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack can be performed by any entity that can deliver a malicious PDF to a process that uses pypdf, whether locally or remotely via an application that serves PDFs; no special privileges are required. The impact manifests as resource exhaustion rather than code execution.

Generated by OpenCVE AI on May 28, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.12.1 or newer.
  • If an upgrade is not immediately possible, limit the size of PDFs processed by pypdf or validate XMP metadata before parsing to exclude excessively large elements.
  • Monitor memory usage of processes using pypdf and consider running them in a restricted environment to mitigate potential denial‑of‑service impacts.

Generated by OpenCVE AI on May 28, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.
Title pypdf: Manipulated XMP metadata streams can exhaust RAM
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:49:11.814Z

Reserved: 2026-05-22T19:10:35.746Z

Link: CVE-2026-48735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:29.787

Modified: 2026-05-28T16:16:29.787

Link: CVE-2026-48735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:00:13Z

Weaknesses