anonhaven
Ad

CVE-2026-31826

MEDIUM CVSS 4.0: 6.8 EPSS 0.00%
Updated Mar 17, 2026
Python
Parameter Value
CVSS 6.8 (MEDIUM)
Affected Versions before 6.8.0
Fixed In 6.8.0
Type CWE-770 (Allocation Without Limits)
Vendor Python
Public PoC No

pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream.

This vulnerability is fixed in 6.8.0.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-770 Allocation Without Limits

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Pypdf_Project Pypdf
cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
 6.8.0

References 3

https://github.com/py-pdf/pypdf/pull/3675
security-advisories@github.com
https://github.com/py-pdf/pypdf/releases/tag/6.8.0
security-advisories@github.com
https://github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm7
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40260

Python

6.9

CVE-2026-40947

Python

2.9

CVE-2026-40192

Python

8.7

CVE-2026-40683

Python

7.7

CVE-2026-5713

Python

5.3