Resource exhaustion in Py-pdf Pypdf

CVE-2026-28351

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

Affected products

Py-pdf Pypdf — versions < 6.7.4

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg (x_refsource_CONFIRM)
https://github.com/py-pdf/pypdf/pull/3664 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/releases/tag/6.7.4 (x_refsource_MISC)