Skip to main content

Red Hat CVE-2026-33123

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-18 https://github.com/py-pdf/pypdf GHSA-qpxp-75px-xjcp
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 16:30 vuln.today
Patch released
Mar 18, 2026 - 16:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 16:17 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 35 pypi packages depend on pypdf (6 direct, 29 indirect)

Ecosystem-wide dependent count for version 6.9.1.

DescriptionGitHub Advisory

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries.

Patches

This has been fixed in pypdf==6.9.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3686.

AnalysisAI

A Denial of Service vulnerability exists in pypdf (Python PDF library) where an attacker can craft a malicious PDF file that causes excessive runtime and memory consumption by exploiting improper handling of array-based streams with large numbers of entries. All versions of pypdf prior to 6.9.1 are affected. An attacker can remotely trigger resource exhaustion on any system processing untrusted PDF files with this library, potentially causing application crashes or service unavailability.

Technical ContextAI

The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption), a class of weaknesses where software fails to properly limit the consumption of resources such as memory and CPU. The affected product is pypdf (pkg:pip/pypdf), a pure-Python PDF processing library used for reading, writing, and manipulating PDF documents. The specific attack vector involves array-based streams within PDF files—a legitimate PDF structure used to store ordered collections of objects. The vulnerability arises from insufficient bounds checking or inefficient handling when pypdf processes streams containing an abnormally large number of entries, causing the parser to allocate excessive memory or enter long-running computation loops. This is a common pattern in PDF parsing vulnerabilities where the format's complexity and flexibility allow attackers to craft edge-case documents that stress parser implementations.

RemediationAI

Upgrade pypdf to version 6.9.1 or later immediately. This is the primary fix released by the vendor and addresses the resource consumption issue in array-based stream handling. For organizations unable to upgrade immediately, apply the upstream patch from GitHub PR #3686 (https://github.com/py-pdf/pypdf/pull/3686) to your local pypdf installation. As a temporary control, implement input validation on PDF files before processing—reject PDFs with unusually large array-based streams, or run pypdf in a sandboxed environment with strict resource limits (memory caps, CPU timeouts) to prevent complete service disruption if a malicious PDF is processed. Monitor PyPI and the pypdf GitHub repository for any security advisories and apply patches promptly.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-33123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy