CVE-2026-22690
Unknown Unknown - Not Provided
Denial of Service via Missing /Root in pypdf Trailer

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22690
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
py-pdf pypdf to 6.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22690 is a vulnerability in the pypdf Python library prior to version 6.6.0. It occurs when a crafted PDF file omits the /Root entry in its trailer dictionary but specifies a large /Size value. In non-strict reading mode, pypdf attempts to access every object number up to the large /Size value, causing potentially long runtimes and excessive resource consumption when processing such invalid files. This can lead to denial-of-service conditions. The issue affects only non-strict mode and was fixed by introducing limits on object scanning and improving parsing methods in version 6.6.0. [2, 3, 4]

Impact Analysis

This vulnerability can impact you by causing your application or system that uses the pypdf library in non-strict mode to experience long runtimes or resource exhaustion when processing maliciously crafted PDF files that omit the /Root entry but specify a large /Size value. This can lead to denial-of-service (DoS) conditions, making your system unresponsive or degraded in performance. The vulnerability does not affect strict mode, and upgrading to pypdf version 6.6.0 or enabling strict mode mitigates this risk. [3, 4]

Detection Guidance

This vulnerability can be detected by analyzing PDF files that are processed by the pypdf library in non-strict mode, specifically looking for PDFs that omit the /Root entry in the trailer but specify a large /Size value. Detection involves checking if the PdfReader is running in non-strict mode and if processing certain PDFs causes unusually long runtimes or resource consumption. A practical approach is to use the pypdf library with strict mode enabled to test suspicious PDF files, for example by running a Python script that attempts to open PDFs with `PdfReader('file.pdf', strict=True)` and monitoring for performance issues or errors. There are no specific network commands provided in the resources, but monitoring PDF processing logs and resource usage during PDF parsing can help detect exploitation attempts. [3, 4]

Mitigation Strategies

Immediate mitigation steps include upgrading the pypdf library to version 6.6.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, a recommended workaround is to enable strict mode when creating PdfReader or PdfWriter instances by setting the parameter `strict=True`, for example: `PdfReader('file.pdf', strict=True)` or `PdfWriter(clone_from=PdfReader('file.pdf', strict=True))`. This prevents the vulnerability from being triggered. Additionally, configuring the new `root_object_recovery_limit` parameter (defaulting to 10,000) can limit resource consumption during root object recovery. Monitoring and restricting processing of malformed or suspicious PDF files can also help mitigate risk. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart