Resource exhaustion in Py-pdf Pypdf

CVE-2026-27026

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompress…

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

Affected products

Py-pdf Pypdf — versions < 6.7.1

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-9mvc-8737-8j8h (x_refsource_CONFIRM)
https://github.com/py-pdf/pypdf/pull/3644 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/commit/7905842d833f899f1d3228af7e7467ad80277016 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/releases/tag/6.7.1 (x_refsource_MISC)