Skip to main content

pdfcpu CVE-2026-38970

HIGH
Uncontrolled Recursion (CWE-674)
2026-07-02 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated attacker delivers a crafted PDF over the network with no interaction; sole impact is process crash, so C:N/I:N/A:H, matching the published vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 16:23 vuln.today
CVSS changed
Jul 06, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
Jul 02, 2026 - 21:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.

AnalysisAI

Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft PDF with deeply nested arrays
Delivery
Submit to pdfcpu processing endpoint
Exploit
Parser recurses via parseArray/ParseObjectContext
Execution
Goroutine stack overflow
Impact
Runtime panic crashes service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application feed an attacker-supplied PDF to pdfcpu's object parser (any operation that invokes ParseObjectContext(), e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:N/I:N/A:H, base 7.5) reflects a network-reachable, unauthenticated, low-complexity attack whose only impact is availability - there is no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a small, malformed PDF containing an array nested hundreds of thousands of levels deep to a web service that uses pdfcpu to validate, merge, or extract content from user documents. When pdfcpu parses the file, mutual recursion between ParseObjectContext() and parseArray() overruns the goroutine stack and the Go runtime fatally panics, crashing the service for all users. …
Remediation Upgrade to a pdfcpu release later than v0.11.1 that enforces a maximum parse nesting depth; the references cite the upstream repository (https://github.com/pdfcpu/pdfcpu) and the specific vulnerable lines (parse.go L325-366 and L942-970), but no exact fixed version tag is included in the provided data, so confirm the patched release on the project's releases page before pinning - released patched version not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all internal applications using pdfcpu via go.mod dependency scanning and software supply-chain tools; document each service's criticality and exposure to untrusted PDF sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-38970 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy