Skip to main content

pypdf EUVDEUVD-2026-38354

| CVE-2026-54530 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-52x6-gq3r-vpf4
6.9
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-deliverable crafted PDF requires no privileges; user/service interaction (UI:R) needed to process the file; pure availability impact from infinite loop.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:50 vuln.today
Analysis Generated
Jun 16, 2026 - 14:50 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pypdf (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.13.0.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode.

Patches

This has been fixed in pypdf==6.13.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3830.

AnalysisAI

Infinite loop denial-of-service in pypdf allows an attacker to hang any Python application that processes a crafted PDF using layout-mode text extraction. The vulnerability arises because the /Parent hierarchy traversal in _layout_mode_fonts() lacked cycle detection, so a circular reference structure in a malicious PDF causes the parser to loop indefinitely. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the attack surface is broad: any service accepting user-supplied PDFs and passing them to pypdf's layout-mode extraction is potentially affected.

Technical ContextAI

pypdf (pip package pypdf, formerly PyPDF2) is a pure-Python PDF manipulation library. The affected code path is pypdf/_page.py::_layout_mode_fonts(), which traverses the PDF page object tree via /Parent references to collect font resources for layout-mode text rendering. The PDF specification permits a tree of page dictionaries linked by /Parent pointers, but it does not inherently prevent circular references in a malformed or malicious file. Prior to the fix, the traversal loop had no visited-node tracking, so a crafted PDF embedding a cycle (e.g., page → dict2 → dict3 → page) would spin forever. The same pattern existed in _writer.py::_get_filtered_outline() for outline (bookmark) trees. The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition / Infinite Loop). The fix in PR #3830 introduces a visited: set[int] guard using Python object identity (id()) to detect and break cycles, emitting a warning rather than raising an exception.

RemediationAI

The primary fix is to upgrade pypdf to version 6.13.0 or later via pip install --upgrade 'pypdf>=6.13.0'. The release is available at https://github.com/py-pdf/pypdf/releases/tag/6.13.0. For environments where an immediate upgrade is not possible, the changes in PR #3830 (https://github.com/py-pdf/pypdf/pull/3830) can be applied as a manual patch to pypdf/_page.py and pypdf/_writer.py. As a compensating control without code changes, operators can disable layout-mode text extraction and fall back to the default extraction mode, which does not trigger the vulnerable traversal; this trades layout fidelity for safety. Additionally, enforcing a per-process CPU or wall-clock timeout (e.g., via signal.alarm on Linux or a subprocess watchdog) limits the blast radius of any infinite loop, at the cost of aborting legitimate long-running extractions. Restricting PDF upload endpoints to authenticated users reduces the unauthenticated attack surface but does not eliminate risk from malicious insiders or compromised accounts.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-38354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy