Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in pypdf, resulting from weaknesses in CWE-400 (Uncontrolled Resource Consumption) and CWE-835 (Infinite Loops), allows an attacker to craft a PDF that, when its text is extracted, causes the library to allocate an excessive amount of memory. The issue arises from pages containing a form XObject with self-references that trigger uncontrolled resource consumption. The resulting high memory usage can force the application or host system to run out of available memory, potentially leading to crashes or forced restarts, which in turn constitute a denial‑of‑service attack.

Affected Systems

Any installation of the py-pdf pypdf library older than version 6.12.2 is affected. Those deployments that invoke the text extraction function on PDFs received from untrusted or external sources are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. The EPSS score is 0.00125, indicating a very low but non-zero probability of exploitation. The lack of listing in the CISA KEV catalog does not reduce the potential impact. The vulnerability stems from CWE-400 and CWE-835 weaknesses, causing uncontrolled resource consumption during text extraction. The attack requires the adversary to supply a malicious PDF and to trigger text extraction; therefore, the vector is likely application‑level input handling. If an application processes PDFs without proper safeguards, the vulnerability can be exploited to exhaust memory and impair service availability.

Generated by OpenCVE AI on June 24, 2026 at 14:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pypdf to version 6.12.2 or later, which contains the fix for the memory‑expansion issue.
  • If immediate upgrade is not possible, restrict the processing of PDF files to trusted sources only and reject or isolate untrusted PDFs before extraction.
  • Run text extraction in an isolated environment with strict memory limits to mitigate the impact of potential exploitation.

Generated by OpenCVE AI on June 24, 2026 at 14:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j543-4vmf-qm7v pypdf: Possible large memory usage for form XObjects during text extraction
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
Title pypdf: Possible large memory usage for form XObjects during text extraction
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:54:54.860Z

Reserved: 2026-05-30T04:17:43.094Z

Link: CVE-2026-49461

cve-icon Vulnrichment

Updated: 2026-06-23T12:23:30.539Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T20:27:16Z

Links: CVE-2026-49461 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:15:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')