pypdf CVE-2026-41314

| EUVD-2026-25116 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-04-22 GitHub_M
Information Disclosure Python Redhat Suse
4.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 23, 2026 - 07:07 vuln.today
Patch available
Apr 22, 2026 - 23:02 EUVD
CVSS changed
Apr 22, 2026 - 22:22 NVD
4.8 (MEDIUM)

DescriptionNVD

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

AnalysisAI

Denial of service via memory exhaustion in pypdf prior to 6.10.2 allows local attackers with user interaction to crash applications processing crafted PDF files containing FlateDecode-compressed images with inflated size values. The vulnerability exhausts available RAM during decompression, affecting any system using vulnerable pypdf versions to parse untrusted PDF documents.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Vendor StatusVendor

Share

CVE-2026-41314 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy