CVE-2026-27888
Received Received - Intake
Memory Exhaustion via Compressed XFA Streams in pypdf Prior to

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27888
EUVD
EUVD-2026-8791
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27888 is a vulnerability in the pypdf Python library prior to version 6.7.3. It occurs when an attacker crafts a malicious PDF containing an XFA (XML Forms Architecture) stream compressed using FlateDecode. Accessing the xfa property of a PDF reader or writer triggers decompression of this stream without proper limits, which can lead to exhaustion of RAM due to uncontrolled resource consumption.

The root cause is the lack of a decompression output size limit when handling the compressed XFA data, allowing a decompression bomb or resource exhaustion attack. This vulnerability has been fixed by implementing a decompression limit that restricts the maximum output size during decompression, preventing excessive memory usage.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to a denial-of-service condition by exhausting the system's RAM when processing a specially crafted PDF file. If an attacker provides such a malicious PDF to an application using the vulnerable pypdf versions, the application may consume excessive memory and potentially crash or become unresponsive."}, {'type': 'paragraph', 'content': 'This uncontrolled resource consumption can disrupt normal operations, degrade performance, and potentially cause service outages in environments that process untrusted PDF files using pypdf.'}] [1, 2, 3, 4]

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs when a malicious PDF containing a FlateDecode-compressed XFA stream is accessed via the `xfa` property of the pypdf reader or writer, leading to excessive RAM usage during decompression.

To detect exploitation attempts or presence of vulnerable files, you can monitor for unusually high memory usage or crashes when processing PDFs with pypdf versions prior to 6.7.3.

Since the vulnerability is triggered by accessing the `xfa` property, you can write or use scripts that attempt to open PDFs with pypdf and access this property to see if resource exhaustion occurs.

No specific detection commands are provided in the resources, but a possible approach is to run a Python script that loads PDFs using pypdf < 6.7.3 and accesses the `xfa` property, monitoring system resource usage.

Mitigation Strategies

The primary mitigation is to upgrade the pypdf library to version 6.7.3 or later, where the vulnerability has been fixed by implementing a decompression limit on XFA streams.

If upgrading immediately is not possible, apply the patch manually from pull request #3658, which enforces a decompression output size limit to prevent resource exhaustion.

Avoid processing untrusted PDF files that may contain maliciously crafted XFA streams until the fix or patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart