CVE-2026-40260
Memory Exhaustion via XMP Metadata in pypdf Before
Publication date: 2026-04-17
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-776 | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploiting this vulnerability can cause the application using pypdf to consume a large amount of RAM, potentially leading to performance degradation or denial of service due to resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the pypdf library to version 6.10.0 or later, where the issue has been fixed.
Can you explain this vulnerability to me?
This vulnerability exists in the pypdf library versions prior to 6.10.0. It involves manipulated XMP metadata entity declarations within a PDF file that can cause excessive RAM usage when the metadata is parsed.
An attacker can craft a specially designed PDF that triggers this behavior, leading to large memory consumption during processing.
This issue was fixed in version 6.10.0 of pypdf.