CVE-2026-48156
Analyzed Analyzed - Analysis Complete
Denial of Service in pypdf via Malicious PDF

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-48156
EUVD
EUVD-2026-32913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pypdf_project pypdf to 6.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-48156 vulnerability affects the pypdf library, a pure-python PDF processing tool. Prior to version 6.12.0, an attacker could craft a malicious PDF file containing cross-reference streams with /W [0 0 0] values and very large /Size values. This crafted PDF causes the library to enter into excessive processing loops, leading to long runtimes and potential denial of service.

The vulnerability arises because the library does not properly handle cross-reference streams with zero-only width values, which results in excessive iterations during PDF parsing.

This issue was fixed in version 6.12.0 by disallowing such cross-reference streams, preventing the exploitation.

Impact Analysis

This vulnerability can impact users by causing the pypdf library to consume excessive processing time when handling specially crafted PDF files. This can lead to denial of service conditions where applications using pypdf become unresponsive or slow.

Such performance degradation can affect systems that automatically process PDFs, potentially disrupting workflows or services that rely on timely PDF parsing.

Detection Guidance

This vulnerability involves malicious PDF files containing cross-reference streams with /W [0 0 0] values and unusually large /Size values that cause excessive processing time in the pypdf library.

To detect this vulnerability on your system, you can analyze PDF files for the presence of cross-reference streams with /W [0 0 0] and large /Size values before processing them with pypdf.

While no specific commands are provided in the resources, you can use PDF inspection tools or scripts to parse the PDF structure and check for these characteristics.

  • Use a PDF parsing tool or script to extract cross-reference stream entries and verify if the /W array equals [0 0 0].
  • Check the /Size value in the PDF trailer or cross-reference stream for unusually large numbers that could cause long runtimes.
  • Monitor processing times of PDF files with pypdf; unusually long runtimes may indicate exploitation attempts.
Mitigation Strategies

The primary mitigation step is to upgrade the pypdf library to version 6.12.0 or later, where this vulnerability has been fixed by disallowing cross-reference streams with zero-only width values.

If immediate upgrading is not possible, you can apply the patch from pull request #3791 as a temporary workaround to reject malicious cross-reference streams.

Additionally, avoid processing untrusted PDF files that may contain crafted cross-reference streams with /W [0 0 0] and large /Size values.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-48156 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart