Skip to main content

pypdf EUVDEUVD-2026-32913

| CVE-2026-48156 MEDIUM
Excessive Iteration (CWE-834)
2026-05-28 GitHub_M GHSA-248m-82v9-q6g6
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Red Hat
3.3 LOW
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 28, 2026 - 17:51 vuln.today
Analysis Generated
May 28, 2026 - 17:51 vuln.today
Patch available
May 28, 2026 - 17:01 EUVD
CVSS changed
May 28, 2026 - 16:22 NVD
5.1 (MEDIUM)
CVE Published
May 28, 2026 - 14:50 nvd
UNKNOWN (no severity yet)

DescriptionGitHub Advisory

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.

AnalysisAI

Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.

Technical ContextAI

pypdf is a pure-Python PDF library (CPE: cpe:2.3:a:py-pdf:pypdf:*:*:*:*:*:*:*:*) that implements PDF 1.5+ cross-reference streams. Cross-reference streams use a /W array to specify the byte widths of the three fields per entry (type, offset, generation). When all three width values are zero (/W [0 0 0]), each entry consumes zero bytes; a parser that attempts to iterate over all entries declared by /Size will loop effectively indefinitely. This maps directly to CWE-834 (Excessive Iteration). The vulnerable logic was in _sanitize_pdf15_xref_stream_index_pairs inside _reader.py, where the previous guard used max(sum(W), 1) to prevent a ZeroDivisionError but did not short-circuit before attempting the full iteration. The fix in PR #3791 adds an early-exit when min_entry_bytes == 0, returning an empty list (non-strict mode) or raising PdfStreamError (strict mode).

RemediationAI

Vendor-released patch: pypdf 6.12.0. Upgrade immediately by running 'pip install --upgrade pypdf>=6.12.0'. The fix is confirmed in the GitHub release at https://github.com/py-pdf/pypdf/releases/tag/6.12.0 and the underlying code change is visible in PR #3791 at https://github.com/py-pdf/pypdf/pull/3791. For deployments that cannot upgrade immediately, a compensating control is to wrap PDF parsing calls in a timeout using Python's signal.alarm or a subprocess with a hard wall-clock limit, and reject any PDF that exceeds it; this trades off latency predictability for protection. Alternatively, pre-screening PDFs with a separate validator before passing them to pypdf reduces exposure. Both workarounds introduce operational complexity and should be treated as temporary.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Low

Share

EUVD-2026-32913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy