Red Hat CVE-2026-33699
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 11 pypi packages depend on pypdf (11 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.9.2.
DescriptionGitHub Advisory
Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.
Patches
This has been fixed in pypdf==6.9.2.
Workarounds
If users cannot upgrade yet, consider applying the changes from PR #3693.
AnalysisAI
This vulnerability in pypdf allows an attacker to craft a malicious PDF file that triggers an infinite loop when processed in non-strict mode, resulting in a denial of service condition. The affected product is pypdf (Python package available via pip), and the vulnerability has been patched in version 6.9.2. While no CVSS score or EPSS data is currently available, the vulnerability is classified as a denial of service issue stemming from improper loop handling (CWE-835: Infinite Loop).
Technical ContextAI
The vulnerability exists in pypdf, a Python library for reading and writing PDF files distributed via pip (CPE: pkg:pip/pypdf). The root cause is classified under CWE-835 (Infinite Loop), indicating that the PDF parsing logic in non-strict mode contains a flaw that allows specially crafted PDF structures to cause unbounded iteration without proper termination conditions. The non-strict parsing mode, typically designed to handle malformed PDFs more gracefully, becomes a liability when it fails to detect and prevent infinite loops triggered by adversarial input. This is a classic resource exhaustion vulnerability where attacker-controlled data directly influences loop iteration without adequate safeguards.
RemediationAI
Immediately upgrade pypdf to version 6.9.2 or later, which contains the fix for the infinite loop condition. For organizations unable to upgrade immediately, apply the patch changes from GitHub PR #3693 (https://github.com/py-pdf/pypdf/pull/3693) to the affected codebase. As an interim mitigation, configure applications to use strict parsing mode if functionally feasible, implement strict resource limits and timeouts on PDF processing operations to prevent infinite loops from consuming unbounded CPU, and restrict PDF processing to trusted sources where possible. Monitor PDF processing operations for unexpectedly long execution times as an early warning sign of exploitation.
Same technique Denial Of Service
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 3.4.1-1+deb12u1 | - |
| trixie | vulnerable | 5.4.0-1 | - |
| forky | vulnerable | 6.9.0-1 | - |
| sid | fixed | 6.9.2-1 | - |
| (unstable) | fixed | 6.9.2-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 1.26.0-4+deb11u1 | - |
| bookworm | vulnerable | 2.12.1-3+deb12u1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today