CVE-2026-48156
Denial of Service in pypdf via Malicious PDF
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-834 | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-48156 vulnerability affects the pypdf library, a pure-python PDF processing tool. Prior to version 6.12.0, an attacker could craft a malicious PDF file containing cross-reference streams with /W [0 0 0] values and very large /Size values. This crafted PDF causes the library to enter into excessive processing loops, leading to long runtimes and potential denial of service.
The vulnerability arises because the library does not properly handle cross-reference streams with zero-only width values, which results in excessive iterations during PDF parsing.
This issue was fixed in version 6.12.0 by disallowing such cross-reference streams, preventing the exploitation.
How can this vulnerability impact me? :
This vulnerability can impact users by causing the pypdf library to consume excessive processing time when handling specially crafted PDF files. This can lead to denial of service conditions where applications using pypdf become unresponsive or slow.
Such performance degradation can affect systems that automatically process PDFs, potentially disrupting workflows or services that rely on timely PDF parsing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious PDF files containing cross-reference streams with /W [0 0 0] values and unusually large /Size values that cause excessive processing time in the pypdf library.
To detect this vulnerability on your system, you can analyze PDF files for the presence of cross-reference streams with /W [0 0 0] and large /Size values before processing them with pypdf.
While no specific commands are provided in the resources, you can use PDF inspection tools or scripts to parse the PDF structure and check for these characteristics.
- Use a PDF parsing tool or script to extract cross-reference stream entries and verify if the /W array equals [0 0 0].
- Check the /Size value in the PDF trailer or cross-reference stream for unusually large numbers that could cause long runtimes.
- Monitor processing times of PDF files with pypdf; unusually long runtimes may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the pypdf library to version 6.12.0 or later, where this vulnerability has been fixed by disallowing cross-reference streams with zero-only width values.
If immediate upgrading is not possible, you can apply the patch from pull request #3791 as a temporary workaround to reject malicious cross-reference streams.
Additionally, avoid processing untrusted PDF files that may contain crafted cross-reference streams with /W [0 0 0] and large /Size values.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-48156 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.