CVE-2026-40260

MEDIUM
2026-04-10 https://github.com/py-pdf/pypdf GHSA-3crg-w4f6-42mx
Share

Lifecycle Timeline

3
Analysis Generated
Apr 10, 2026 - 21:45 vuln.today
Patch Released
Apr 10, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 20:59 nvd
MEDIUM

Tags

Information Disclosure

Description

### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. ### Patches This has been fixed in [pypdf==6.10.0](https://github.com/py-pdf/pypdf/releases/tag/6.10.0). ### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3724](https://github.com/py-pdf/pypdf/pull/3724).

Analysis

Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40260 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy