Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27628 is a vulnerability in the pypdf Python library that causes an infinite loop when parsing specially crafted PDF files. The issue occurs because the library's code encounters circular references in the PDF's cross-reference (xref) tables, specifically circular /Prev entries, which leads to an iteration with no exit condition. This causes the parsing process to hang indefinitely, consuming 100% CPU and repeatedly re-processing the same data."}, {'type': 'paragraph', 'content': 'The problem arises in the _read_xref_tables_and_trailers() function, which follows /Prev pointers to read xref tables. If these pointers form a cycle, the function loops endlessly without detecting the repetition. The vulnerability was fixed in pypdf version 6.7.2 by adding a mechanism to track visited xref offsets and break the loop when a cycle is detected.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition for any application using the pypdf library to process PDF files. An attacker can craft a malicious PDF file that triggers the infinite loop, causing the application to hang indefinitely and consume excessive CPU resources.

As a result, the affected application may become unresponsive or crash, requiring manual termination of the process. This can disrupt normal operations, degrade service availability, and potentially impact systems relying on automated PDF processing.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to load or parse PDF files using the pypdf library versions prior to 6.7.2. If a crafted PDF containing circular /Prev references in the cross-reference streams is processed, the parsing will enter an infinite loop, causing the process to hang at 100% CPU usage and repeatedly emit warnings such as "Overwriting cache for 0 129".'}, {'type': 'paragraph', 'content': "To detect this on your system, you can use a Python script that tries to load suspicious or untrusted PDF files with pypdf's PdfReader and observe if the process hangs or loops indefinitely."}, {'type': 'paragraph', 'content': 'Example command to test a PDF file (replace test.pdf with your file):'}, {'type': 'list_item', 'content': 'python -c "from pypdf import PdfReader; PdfReader(\'test.pdf\')"'}, {'type': 'paragraph', 'content': 'If this command causes the process to hang or consume 100% CPU indefinitely, it indicates the presence of the vulnerability triggered by that PDF.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the pypdf library to version 6.7.2 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, you can manually apply the patch from pull request #3655, which adds cycle detection in the cross-reference parsing to prevent infinite loops.

Additionally, avoid processing untrusted or suspicious PDF files with vulnerable versions of pypdf to reduce the risk of denial-of-service caused by this infinite loop.

Useful 0 Not Useful 0