Skip to main content

Red Hat CVE-2026-40260

MEDIUM
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
2026-04-10 https://github.com/py-pdf/pypdf GHSA-3crg-w4f6-42mx
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 17, 2026 - 01:22 NVD
6.9 (MEDIUM)
Analysis Generated
Apr 10, 2026 - 21:45 vuln.today
Patch released
Apr 10, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 20:59 nvd
MEDIUM

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 pypi packages depend on pypdf (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.10.0.

DescriptionGitHub Advisory

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.

Patches

This has been fixed in pypdf==6.10.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3724.

AnalysisAI

Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.

Technical ContextAI

The vulnerability exists in pypdf (pkg:pip/pypdf), a Python PDF processing library, specifically in its XMP (Extensible Metadata Platform) metadata parsing functionality. XMP is an XML-based metadata standard embedded in PDF documents. The root cause is classified as CWE-776 (Improper Restriction of Recursive Entity References in DTDs), indicating that the parser does not properly constrain or validate recursive structures within XMP metadata, leading to unbounded memory allocation. When a PDF containing maliciously crafted XMP metadata is parsed, the library fails to enforce limits on memory consumption, allowing an attacker to exhaust available system memory.

RemediationAI

Vendor-released patch: upgrade to pypdf version 6.10.0 or later. This fix is available on PyPI and can be installed via pip with the command 'pip install --upgrade pypdf>=6.10.0'. For organizations unable to upgrade immediately, the upstream fix is available in PR #3724 (https://github.com/py-pdf/pypdf/pull/3724) and commit b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8, which can be applied manually to the local pypdf installation if needed. After patching, validate that XMP metadata parsing no longer triggers excessive memory allocation by testing with large or complex PDF files.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-40260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy