CVE-2026-27628
Infinite Loop Vulnerability in pypdf PDF Parsing Prior to
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27628 is a vulnerability in the pypdf Python library that causes an infinite loop when parsing specially crafted PDF files. The issue occurs because the library's code encounters circular references in the PDF's cross-reference (xref) tables, specifically circular /Prev entries, which leads to an iteration with no exit condition. This causes the parsing process to hang indefinitely, consuming 100% CPU and repeatedly re-processing the same data."}, {'type': 'paragraph', 'content': 'The problem arises in the _read_xref_tables_and_trailers() function, which follows /Prev pointers to read xref tables. If these pointers form a cycle, the function loops endlessly without detecting the repetition. The vulnerability was fixed in pypdf version 6.7.2 by adding a mechanism to track visited xref offsets and break the loop when a cycle is detected.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition for any application using the pypdf library to process PDF files. An attacker can craft a malicious PDF file that triggers the infinite loop, causing the application to hang indefinitely and consume excessive CPU resources.
As a result, the affected application may become unresponsive or crash, requiring manual termination of the process. This can disrupt normal operations, degrade service availability, and potentially impact systems relying on automated PDF processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to load or parse PDF files using the pypdf library versions prior to 6.7.2. If a crafted PDF containing circular /Prev references in the cross-reference streams is processed, the parsing will enter an infinite loop, causing the process to hang at 100% CPU usage and repeatedly emit warnings such as "Overwriting cache for 0 129".'}, {'type': 'paragraph', 'content': "To detect this on your system, you can use a Python script that tries to load suspicious or untrusted PDF files with pypdf's PdfReader and observe if the process hangs or loops indefinitely."}, {'type': 'paragraph', 'content': 'Example command to test a PDF file (replace test.pdf with your file):'}, {'type': 'list_item', 'content': 'python -c "from pypdf import PdfReader; PdfReader(\'test.pdf\')"'}, {'type': 'paragraph', 'content': 'If this command causes the process to hang or consume 100% CPU indefinitely, it indicates the presence of the vulnerability triggered by that PDF.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the pypdf library to version 6.7.2 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, you can manually apply the patch from pull request #3655, which adds cycle detection in the cross-reference parsing to prevent infinite loops.
Additionally, avoid processing untrusted or suspicious PDF files with vulnerable versions of pypdf to reduce the risk of denial-of-service caused by this infinite loop.