Skip to main content

pypdf EUVDEUVD-2026-38356

| CVE-2026-49461 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-j543-4vmf-qm7v
6.9
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-delivered PDF triggers memory exhaustion with no authentication or user interaction required; only availability is impacted.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:21 vuln.today
Analysis Generated
Jun 16, 2026 - 14:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on pypdf (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.12.2.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references.

Patches

This has been fixed in pypdf==6.12.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3805.

AnalysisAI

Uncontrolled resource consumption in pypdf versions before 6.12.2 allows any attacker who can cause an application to call extract_text() on a crafted PDF to trigger unbounded memory growth, resulting in denial of service. The vulnerability arises specifically during form XObject traversal: a PDF containing a self-referencing XObject resource dictionary causes the extraction code to recurse infinitely without cycle detection. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Technical ContextAI

pypdf is a pure-Python PDF manipulation library distributed via pip (pkg:pip/pypdf). The affected code path is the _extract_text() and extract_xform_text() methods in pypdf/_page.py. PDF form XObjects (dictionary entries with /Subtype /Form) are reusable content streams embedded in a page's resource dictionary that the text extractor recursively processes. Prior to the fix, no visited-node tracking was maintained across recursive calls, so a form XObject whose /Resources /XObject dictionary included a reference back to itself could drive infinite recursion and unbounded heap allocation. CWE-400 (Uncontrolled Resource Consumption) precisely describes the root cause: the code placed no upper bound on XObject traversal depth or memory consumption. The PR #3805 fix introduces a known_ids set (keyed on Python object identity via id(xform)) threaded through the call chain; detection of a cycle causes the code to emit a warning and return an empty string rather than recurse.

RemediationAI

Upgrade to pypdf 6.12.2 or later, released at https://github.com/py-pdf/pypdf/releases/tag/6.12.2 - this is the definitive fix. If an immediate upgrade is not possible, the patch changes from PR #3805 (https://github.com/py-pdf/pypdf/pull/3805) can be applied manually to pypdf/_page.py; the change threads a known_ids set through _extract_text() and extract_xform_text() to detect and short-circuit cyclic XObject references. As a compensating control without code changes, enforce per-process memory limits before calling extract_text() on untrusted PDFs using OS-level ulimits or container memory caps (e.g., Docker --memory); this limits blast radius but does not prevent the vulnerability. Isolating extraction in a subprocess with a memory ceiling and timeout is the most robust compensating control - the trade-off is added latency and process-spawn overhead. Disabling or gating extract_text() calls on PDFs from untrusted sources is also effective if text extraction is not required for all inputs.

Vendor StatusVendor

Share

EUVD-2026-38356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy