CVE-2026-41312
Memory Exhaustion in pypdf via Malicious FlateDecode Streams
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pypdf_project | pypdf | to 6.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the pypdf library versions prior to 6.10.2. An attacker can craft a specially designed PDF file that exploits the way pypdf handles streams compressed with /FlateDecode when the /Predictor parameter is not equal to 1 and has large predictor parameters. When such a PDF is processed, it can cause the system's RAM to be exhausted.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition caused by exhaustion of RAM. When a vulnerable version of pypdf processes a maliciously crafted PDF, it can consume excessive memory resources, potentially leading to application crashes or system instability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade pypdf to version 6.10.2 or later, where the issue has been fixed.
As a temporary workaround, you may manually apply the changes from the patch that fixes this vulnerability.