CVE-2026-45802
Deferred Deferred - Pending Action
Memory Exhaustion in FPDI PDF Processing

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45802
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
setasign fpdi to 2.6.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45802 is a Denial of Service (DoS) vulnerability in the FPDI PHP library, which is used to read and process PDF documents. Prior to version 2.6.7, an attacker can upload a specially crafted malicious PDF file that causes the server-side script to crash by exhausting memory or causing infinite loops during PDF parsing.

The vulnerability arises from improper handling of cyclic structures in PDF cross-reference tables and page trees, leading to infinite recursion or excessive memory consumption.

This issue was fixed in version 2.6.7 by adding safeguards to detect and prevent cyclic references, throwing exceptions when such loops are detected to stop the denial-of-service condition.

Impact Analysis

This vulnerability can impact you by causing your server-side scripts that use FPDI to crash or become unresponsive when processing malicious PDF files.

Repeated exploitation can lead to sustained denial of service, making your application or service unavailable to legitimate users.

The vulnerability affects system availability but does not compromise confidentiality or integrity of data.

Detection Guidance

This vulnerability manifests when a server-side script processing PDF files using FPDI crashes due to memory exhaustion or script time-outs caused by maliciously crafted PDF files with cyclic structures.

Detection involves monitoring for repeated crashes or service unavailability related to PDF processing, especially when handling uploaded PDF files.

Since the issue is triggered by processing malicious PDFs, you can detect attempts by inspecting logs for errors or crashes in the PHP application handling PDFs.

No specific commands are provided in the resources, but general approaches include:

  • Check web server and PHP error logs for memory exhaustion or timeout errors related to PDF processing.
  • Monitor application logs for repeated failures or crashes when processing uploaded PDF files.
  • Use network monitoring tools to detect repeated uploads of small PDF files that may be malicious.
  • If possible, test PDF files with known cyclic structures (e.g., xref_prev_loop.pdf or page_parent_loop.pdf) in a controlled environment to observe if the application crashes.
Mitigation Strategies

The primary and recommended mitigation is to update the FPDI library to version 2.6.7 or later, which includes fixes that prevent memory exhaustion and infinite loops caused by malicious PDF files.

No workarounds are available according to the advisory, so patching is essential.

After updating, verify that your application properly handles PDF uploads and that the new safeguards against cyclic structures are in place.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart