CVE-2026-33123
Received Received - Intake
Denial of Service via Malicious PDF in pypdf

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33123 is a vulnerability in the pypdf Python library versions prior to 6.9.1 that allows an attacker to craft a malicious PDF file containing an array-based stream with many entries. When such a PDF is processed, it causes inefficient decoding leading to long runtimes and/or large memory usage.

This issue arises due to inefficient algorithmic complexity in handling these large array-based content streams, which can degrade system performance significantly.

The vulnerability is classified under uncontrolled resource consumption and inefficient algorithmic complexity, and it was fixed in version 6.9.1 by improving performance and imposing limits on the length of array-based content streams.

Impact Analysis

Exploitation of this vulnerability can lead to excessive resource consumption such as long runtimes and high memory usage when processing specially crafted malicious PDF files.

This can degrade system performance, potentially causing denial of service or making the system unresponsive due to resource exhaustion.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves processing malicious PDF files with large array-based streams that cause excessive runtimes and memory usage in the pypdf library versions prior to 6.9.1.

Detection can focus on identifying PDF files with unusually large or complex array-based content streams that might trigger the inefficient decoding.

Since the vulnerability is triggered by opening or processing such PDFs, monitoring for high CPU or memory usage during PDF processing with pypdf could indicate exploitation attempts.

No specific commands are provided in the available resources to detect this vulnerability directly on a system or network.

Mitigation Strategies

The primary mitigation step is to upgrade the pypdf library to version 6.9.1 or later, where the vulnerability has been fixed.

If immediate upgrade is not possible, applying the changes from pull request #3686 is recommended as a workaround to limit the length of array-based content streams and improve performance.

Additionally, avoid processing untrusted or suspicious PDF files that may contain maliciously crafted large array-based streams.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart