Red Hat CVE-2026-40260
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 pypi packages depend on pypdf (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.10.0.
DescriptionGitHub Advisory
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.
Patches
This has been fixed in pypdf==6.10.0.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3724.
AnalysisAI
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
Technical ContextAI
The vulnerability exists in pypdf (pkg:pip/pypdf), a Python PDF processing library, specifically in its XMP (Extensible Metadata Platform) metadata parsing functionality. XMP is an XML-based metadata standard embedded in PDF documents. The root cause is classified as CWE-776 (Improper Restriction of Recursive Entity References in DTDs), indicating that the parser does not properly constrain or validate recursive structures within XMP metadata, leading to unbounded memory allocation. When a PDF containing maliciously crafted XMP metadata is parsed, the library fails to enforce limits on memory consumption, allowing an attacker to exhaust available system memory.
RemediationAI
Vendor-released patch: upgrade to pypdf version 6.10.0 or later. This fix is available on PyPI and can be installed via pip with the command 'pip install --upgrade pypdf>=6.10.0'. For organizations unable to upgrade immediately, the upstream fix is available in PR #3724 (https://github.com/py-pdf/pypdf/pull/3724) and commit b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8, which can be applied manually to the local pypdf installation if needed. After patching, validate that XMP metadata parsing no longer triggers excessive memory allocation by testing with large or complex PDF files.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3crg-w4f6-42mx