CVE-2026-22690
Denial of Service via Missing /Root in pypdf Trailer
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| py-pdf | pypdf | to 6.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22690 is a vulnerability in the pypdf Python library prior to version 6.6.0. It occurs when a crafted PDF file omits the /Root entry in its trailer dictionary but specifies a large /Size value. In non-strict reading mode, pypdf attempts to access every object number up to the large /Size value, causing potentially long runtimes and excessive resource consumption when processing such invalid files. This can lead to denial-of-service conditions. The issue affects only non-strict mode and was fixed by introducing limits on object scanning and improving parsing methods in version 6.6.0. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by causing your application or system that uses the pypdf library in non-strict mode to experience long runtimes or resource exhaustion when processing maliciously crafted PDF files that omit the /Root entry but specify a large /Size value. This can lead to denial-of-service (DoS) conditions, making your system unresponsive or degraded in performance. The vulnerability does not affect strict mode, and upgrading to pypdf version 6.6.0 or enabling strict mode mitigates this risk. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing PDF files that are processed by the pypdf library in non-strict mode, specifically looking for PDFs that omit the /Root entry in the trailer but specify a large /Size value. Detection involves checking if the PdfReader is running in non-strict mode and if processing certain PDFs causes unusually long runtimes or resource consumption. A practical approach is to use the pypdf library with strict mode enabled to test suspicious PDF files, for example by running a Python script that attempts to open PDFs with `PdfReader('file.pdf', strict=True)` and monitoring for performance issues or errors. There are no specific network commands provided in the resources, but monitoring PDF processing logs and resource usage during PDF parsing can help detect exploitation attempts. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the pypdf library to version 6.6.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, a recommended workaround is to enable strict mode when creating PdfReader or PdfWriter instances by setting the parameter `strict=True`, for example: `PdfReader('file.pdf', strict=True)` or `PdfWriter(clone_from=PdfReader('file.pdf', strict=True))`. This prevents the vulnerability from being triggered. Additionally, configuring the new `root_object_recovery_limit` parameter (defaulting to 10,000) can limit resource consumption during root object recovery. Monitoring and restricting processing of malformed or suspicious PDF files can also help mitigate risk. [3, 4]