Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in pypdf allows an attacker to craft a PDF that, when its text is extracted, causes the library to allocate an excessive amount of memory. The issue arises from pages containing a form XObject with self-references that trigger uncontrolled resource consumption. The resulting high memory usage can force the application or host system to run out of available memory, potentially leading to crashes or forced restarts, which in turn constitute a denial‑of‑service attack.

Affected Systems

Any installation of the py-pdf pypdf library older than version 6.12.2 is affected. Those deployments that invoke the text extraction function on PDFs received from untrusted or external sources are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. Although the EPSS score is not available, the lack of listing in the CISA KEV catalog does not reduce the potential impact. The attack requires the adversary to supply a malicious PDF and to trigger text extraction; therefore, the vector is likely application‑level input handling. If an application processes PDFs without proper safeguards, the vulnerability can be exploited to exhaust memory and impair service availability.

Generated by OpenCVE AI on June 22, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pypdf to version 6.12.2 or later, which contains the fix for the memory‑expansion issue.
  • If immediate upgrade is not possible, restrict the processing of PDF files to trusted sources only and reject or isolate untrusted PDFs before extraction.
  • Run text extraction in an isolated environment with strict memory limits to mitigate the impact of potential exploitation.

Generated by OpenCVE AI on June 22, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j543-4vmf-qm7v pypdf: Possible large memory usage for form XObjects during text extraction
History

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
Title pypdf: Possible large memory usage for form XObjects during text extraction
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:27:16.174Z

Reserved: 2026-05-30T04:17:43.094Z

Link: CVE-2026-49461

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption