Skip to main content

Red Hat CVE-2026-33699

MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-25 https://github.com/py-pdf/pypdf
4.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 25, 2026 - 20:17 vuln.today
Patch released
Mar 25, 2026 - 20:17 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:05 nvd
MEDIUM 4.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 pypi packages depend on pypdf (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.9.2.

DescriptionGitHub Advisory

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.

Patches

This has been fixed in pypdf==6.9.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #3693.

AnalysisAI

This vulnerability in pypdf allows an attacker to craft a malicious PDF file that triggers an infinite loop when processed in non-strict mode, resulting in a denial of service condition. The affected product is pypdf (Python package available via pip), and the vulnerability has been patched in version 6.9.2. While no CVSS score or EPSS data is currently available, the vulnerability is classified as a denial of service issue stemming from improper loop handling (CWE-835: Infinite Loop).

Technical ContextAI

The vulnerability exists in pypdf, a Python library for reading and writing PDF files distributed via pip (CPE: pkg:pip/pypdf). The root cause is classified under CWE-835 (Infinite Loop), indicating that the PDF parsing logic in non-strict mode contains a flaw that allows specially crafted PDF structures to cause unbounded iteration without proper termination conditions. The non-strict parsing mode, typically designed to handle malformed PDFs more gracefully, becomes a liability when it fails to detect and prevent infinite loops triggered by adversarial input. This is a classic resource exhaustion vulnerability where attacker-controlled data directly influences loop iteration without adequate safeguards.

RemediationAI

Immediately upgrade pypdf to version 6.9.2 or later, which contains the fix for the infinite loop condition. For organizations unable to upgrade immediately, apply the patch changes from GitHub PR #3693 (https://github.com/py-pdf/pypdf/pull/3693) to the affected codebase. As an interim mitigation, configure applications to use strict parsing mode if functionally feasible, implement strict resource limits and timeouts on PDF processing operations to prevent infinite loops from consuming unbounded CPU, and restrict PDF processing to trusted sources where possible. Monitor PDF processing operations for unexpectedly long execution times as an early warning sign of exploitation.

Vendor StatusVendor

Debian

pypdf
Release Status Fixed Version Urgency
bookworm vulnerable 3.4.1-1+deb12u1 -
trixie vulnerable 5.4.0-1 -
forky vulnerable 6.9.0-1 -
sid fixed 6.9.2-1 -
(unstable) fixed 6.9.2-1 -
pypdf2
Release Status Fixed Version Urgency
bullseye vulnerable 1.26.0-4+deb11u1 -
bookworm vulnerable 2.12.1-3+deb12u1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33699 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy