CVE-2026-27888
Memory Exhaustion via Compressed XFA Streams in pypdf Prior to
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.7.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27888 is a vulnerability in the pypdf Python library prior to version 6.7.3. It occurs when an attacker crafts a malicious PDF containing an XFA (XML Forms Architecture) stream compressed using FlateDecode. Accessing the xfa property of a PDF reader or writer triggers decompression of this stream without proper limits, which can lead to exhaustion of RAM due to uncontrolled resource consumption.
The root cause is the lack of a decompression output size limit when handling the compressed XFA data, allowing a decompression bomb or resource exhaustion attack. This vulnerability has been fixed by implementing a decompression limit that restricts the maximum output size during decompression, preventing excessive memory usage.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to a denial-of-service condition by exhausting the system's RAM when processing a specially crafted PDF file. If an attacker provides such a malicious PDF to an application using the vulnerable pypdf versions, the application may consume excessive memory and potentially crash or become unresponsive."}, {'type': 'paragraph', 'content': 'This uncontrolled resource consumption can disrupt normal operations, degrade performance, and potentially cause service outages in environments that process untrusted PDF files using pypdf.'}] [1, 2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a malicious PDF containing a FlateDecode-compressed XFA stream is accessed via the `xfa` property of the pypdf reader or writer, leading to excessive RAM usage during decompression.
To detect exploitation attempts or presence of vulnerable files, you can monitor for unusually high memory usage or crashes when processing PDFs with pypdf versions prior to 6.7.3.
Since the vulnerability is triggered by accessing the `xfa` property, you can write or use scripts that attempt to open PDFs with pypdf and access this property to see if resource exhaustion occurs.
No specific detection commands are provided in the resources, but a possible approach is to run a Python script that loads PDFs using pypdf < 6.7.3 and accesses the `xfa` property, monitoring system resource usage.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the pypdf library to version 6.7.3 or later, where the vulnerability has been fixed by implementing a decompression limit on XFA streams.
If upgrading immediately is not possible, apply the patch manually from pull request #3658, which enforces a decompression output size limit to prevent resource exhaustion.
Avoid processing untrusted PDF files that may contain maliciously crafted XFA streams until the fix or patch is applied.