CVE-2026-41313
Received Received - Intake
Denial of Service via Large Trailer in pypdf Before

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41313
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects pypdf versions prior to 6.10.2 when loading PDFs with a large trailer `/Size` value in incremental mode, causing long runtimes.

To detect if your system is vulnerable, first check the installed version of pypdf.

  • Run the command: pip show pypdf

If the version is earlier than 6.10.2, your system may be vulnerable.

There are no specific network detection commands or signatures available from the provided information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade pypdf to version 6.10.2 or later, where the issue has been fixed.

As a temporary workaround, you may manually apply the changes from the patch that fixes the vulnerability.

Executive Summary

The vulnerability exists in the pypdf library versions prior to 6.10.2. An attacker can craft a specially designed PDF file that contains a large trailer `/Size` value when loaded in incremental mode. This crafted PDF causes the library to experience long runtimes, potentially leading to performance degradation or denial of service.

This issue has been fixed in pypdf version 6.10.2, and as a workaround, users can manually apply the patch changes.

Impact Analysis

This vulnerability can impact you by causing long runtimes or performance issues when processing maliciously crafted PDF files using vulnerable versions of pypdf. This could lead to denial of service conditions or resource exhaustion on systems that automatically process PDFs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart