CVE-2026-41312
Received Received - Intake
Memory Exhaustion in pypdf via Malicious FlateDecode Streams

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41312
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pypdf library versions prior to 6.10.2. An attacker can craft a specially designed PDF file that exploits the way pypdf handles streams compressed with /FlateDecode when the /Predictor parameter is not equal to 1 and has large predictor parameters. When such a PDF is processed, it can cause the system's RAM to be exhausted.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition caused by exhaustion of RAM. When a vulnerable version of pypdf processes a maliciously crafted PDF, it can consume excessive memory resources, potentially leading to application crashes or system instability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pypdf to version 6.10.2 or later, where the issue has been fixed.

As a temporary workaround, you may manually apply the changes from the patch that fixes this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart