CVE-2026-28351
Memory Exhaustion via RunLengthDecode in pypdf Before
Publication date: 2026-02-27
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.7.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28351 is a vulnerability in the pypdf Python library versions prior to 6.7.4. It occurs when parsing PDF content streams that use the RunLengthDecode filter. An attacker can craft a malicious PDF that causes the RunLengthDecode filter to produce excessively large output during decompression, leading to large memory usage.
This happens because the decompression process does not limit the amount of data it outputs, which can result in uncontrolled resource consumption and potentially exhaust system memory.
The vulnerability was fixed in version 6.7.4 by introducing a limit on the maximum output length of the RunLengthDecode filter, preventing excessive memory usage during decompression.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause your system to consume excessive memory when processing a specially crafted PDF file using the vulnerable pypdf library.
The excessive memory usage can lead to system instability, degraded performance, or even denial-of-service conditions if system resources are exhausted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves excessive memory usage when parsing PDF content streams using the RunLengthDecode filter in pypdf versions prior to 6.7.4.
Detection can involve monitoring for unusually high memory consumption during PDF processing with pypdf, especially when handling PDFs that use the RunLengthDecode filter.
Since the issue arises during decompression, one practical approach is to identify usage of vulnerable pypdf versions (before 6.7.4) in your environment.
Commands to detect vulnerable versions of pypdf installed in your Python environment include:
- pip show pypdf
- pip list | grep pypdf
Additionally, you can scan PDF files for the presence of the RunLengthDecode filter in their content streams by using PDF inspection tools or scripts that parse PDF objects.
However, no specific detection commands or signatures for crafted malicious PDFs exploiting this vulnerability are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the pypdf library to version 6.7.4 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, applying the changes from pull request #3664 is recommended as a workaround. This change introduces a limit on the output length of the RunLengthDecode filter to prevent excessive memory usage.
Additionally, reviewing and limiting the processing of untrusted PDF files that use the RunLengthDecode filter can help reduce risk.