Red Hat CVE-2026-33123
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 35 pypi packages depend on pypdf (6 direct, 29 indirect)
Ecosystem-wide dependent count for version 6.9.1.
DescriptionGitHub Advisory
Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries.
Patches
This has been fixed in pypdf==6.9.1.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3686.
AnalysisAI
A Denial of Service vulnerability exists in pypdf (Python PDF library) where an attacker can craft a malicious PDF file that causes excessive runtime and memory consumption by exploiting improper handling of array-based streams with large numbers of entries. All versions of pypdf prior to 6.9.1 are affected. An attacker can remotely trigger resource exhaustion on any system processing untrusted PDF files with this library, potentially causing application crashes or service unavailability.
Technical ContextAI
The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption), a class of weaknesses where software fails to properly limit the consumption of resources such as memory and CPU. The affected product is pypdf (pkg:pip/pypdf), a pure-Python PDF processing library used for reading, writing, and manipulating PDF documents. The specific attack vector involves array-based streams within PDF files—a legitimate PDF structure used to store ordered collections of objects. The vulnerability arises from insufficient bounds checking or inefficient handling when pypdf processes streams containing an abnormally large number of entries, causing the parser to allocate excessive memory or enter long-running computation loops. This is a common pattern in PDF parsing vulnerabilities where the format's complexity and flexibility allow attackers to craft edge-case documents that stress parser implementations.
RemediationAI
Upgrade pypdf to version 6.9.1 or later immediately. This is the primary fix released by the vendor and addresses the resource consumption issue in array-based stream handling. For organizations unable to upgrade immediately, apply the upstream patch from GitHub PR #3686 (https://github.com/py-pdf/pypdf/pull/3686) to your local pypdf installation. As a temporary control, implement input validation on PDF files before processing—reject PDFs with unusually large array-based streams, or run pypdf in a sandboxed environment with strict resource limits (memory caps, CPU timeouts) to prevent complete service disruption if a malicious PDF is processed. Monitor PyPI and the pypdf GitHub repository for any security advisories and apply patches promptly.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-qpxp-75px-xjcp