CVE-2026-41168
Denial of Service via Malformed PDF in pypdf
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-834 | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41168 is a vulnerability in the pypdf Python library that allows an attacker to craft a malicious PDF file with malformed cross-reference streams or object streams containing incorrectly large size values. Specifically, the attacker manipulates the /Size value in cross-reference streams or the /N value in object streams to be excessively large. This causes the pypdf library to perform excessive iteration or processing, leading to long runtimes and potential resource exhaustion during PDF parsing.
The vulnerability is classified under CWE-834 (Excessive Iteration) and can result in denial-of-service conditions by causing the library to consume excessive CPU or memory resources. The issue was fixed in pypdf version 6.10.1 by introducing strict limits on the sizes of these streams based on actual stream data length and declared widths, preventing attackers from exploiting oversized or malformed PDF structures.
How can this vulnerability impact me? :
This vulnerability can impact users by causing denial-of-service conditions when processing malicious PDF files. An attacker can craft a PDF that triggers excessive iteration in the pypdf library, leading to long runtimes and potentially exhausting system resources such as CPU and memory.
Such resource exhaustion can degrade application performance, cause crashes, or make the system unresponsive, especially in environments where PDFs are processed automatically or at scale. This can disrupt services relying on pypdf for PDF parsing or manipulation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves maliciously crafted PDF files with oversized cross-reference streams or object streams that cause excessive iteration and long runtimes in the pypdf library. Detection involves identifying PDF files with abnormal or excessively large /Size or /N values in their cross-reference or object streams.
Since the vulnerability is triggered by malformed PDF structures, you can detect suspicious PDFs by inspecting the /Size and /N values in PDF cross-reference and object streams. Tools that parse PDF internals or custom scripts can be used to extract and analyze these values.
No specific commands are provided in the resources, but a general approach could be:
- Use a PDF parsing tool or script to extract cross-reference streams and object streams from PDF files.
- Check if the /Size value in cross-reference streams or the /N value in object streams is unusually large or inconsistent with the actual stream size.
- Monitor logs or runtime behavior of pypdf when processing PDFs for unusually long runtimes or warnings/errors related to LimitReachedError or clamping of /N or /Size values.
For automated detection, you might consider running pypdf in strict mode on PDFs and catching LimitReachedError exceptions or warnings indicating oversized streams.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the pypdf library to version 6.10.1 or later, where the vulnerability has been fixed by enforcing strict limits on the sizes of cross-reference and object streams.
If upgrading immediately is not possible, you can manually apply the patch changes from pull request #3733, which implement the size restrictions and error handling to prevent excessive iteration.
Additionally, consider running pypdf in strict mode to ensure that oversized streams raise errors rather than being silently clamped, improving detection and prevention of exploitation.
Avoid processing untrusted or suspicious PDF files until the fix is applied, as these could exploit the vulnerability to cause denial-of-service or long runtimes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-41168 on compliance with common standards and regulations such as GDPR or HIPAA.