CVE-2026-33699
Infinite Loop Vulnerability in pypdf PDF Parsing Pre
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the pypdf library to version 6.9.2 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, apply the patch from pull request #3693 manually to fix the infinite loop issue in the `read_from_stream` function.
Additionally, consider processing PDF files in strict mode if feasible, as the vulnerability only affects non-strict mode.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-33699 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33699 is a vulnerability in the pypdf Python library versions prior to 6.9.2. It occurs in the method `DictionaryObject.read_from_stream` when reading PDF files in non-strict mode. An attacker can craft a malicious PDF file that triggers an infinite loop during error recovery attempts. This infinite loop happens because the iteration has an unreachable exit condition, causing the function to loop indefinitely.
The issue specifically arises when the function encounters errors such as recursion errors or filter limit errors, which should normally cause a hard error but instead lead to the infinite loop. This vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition).
The vulnerability was fixed in pypdf version 6.9.2 by modifying the `read_from_stream` logic to properly handle these error conditions and prevent the infinite loop.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition. When a maliciously crafted PDF is processed in non-strict mode, the infinite loop can cause the application to hang or consume excessive resources.
Such resource exhaustion or application hang can disrupt normal operations, potentially affecting availability of services that rely on pypdf for PDF processing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the pypdf library processes a crafted malicious PDF file in non-strict mode, causing an infinite loop in the `read_from_stream` function.
Detection involves identifying attempts to process suspicious or malformed PDF files using vulnerable versions of pypdf (prior to 6.9.2). Monitoring for unusually high CPU or resource usage during PDF processing could indicate the infinite loop triggered by this vulnerability.
Since the issue is triggered by reading a PDF file in non-strict mode, you can test your system by running a script that attempts to parse potentially malicious PDFs with pypdf versions before 6.9.2 and observe if the process hangs or loops indefinitely.
No specific detection commands are provided in the resources, but general approaches include:
- Use monitoring tools (e.g., top, htop) to detect processes consuming excessive CPU during PDF processing.
- Run Python scripts that load PDFs with pypdf in non-strict mode and check for hangs or infinite loops.
- Check the version of pypdf installed using: `pip show pypdf` or `pip list | grep pypdf`.