CVE-2026-45802
Deferred Deferred - Pending Action

Memory Exhaustion in FPDI PDF Processing

Vulnerability report for CVE-2026-45802, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
setasign fpdi to 2.6.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in FPDI (CVE-2026-45802) causes denial of service through memory exhaustion or infinite loops, impacting system availability.

It does not affect confidentiality or integrity of data, only availability.

Since compliance standards like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data, this vulnerability primarily impacts the availability aspect.

Repeated exploitation could lead to sustained service unavailability, which may affect compliance with availability requirements in these regulations.

Mitigation requires updating to FPDI version 2.6.7 or later to prevent denial-of-service conditions.

Executive Summary

CVE-2026-45802 is a Denial of Service (DoS) vulnerability in the FPDI PHP library, which is used to read and process PDF documents. Prior to version 2.6.7, an attacker can upload a specially crafted malicious PDF file that causes the server-side script to crash by exhausting memory or causing infinite loops during PDF parsing.

The vulnerability arises from improper handling of cyclic structures in PDF cross-reference tables and page trees, leading to infinite recursion or excessive memory consumption.

This issue was fixed in version 2.6.7 by adding safeguards to detect and prevent cyclic references, throwing exceptions when such loops are detected to stop the denial-of-service condition.

Impact Analysis

This vulnerability can impact you by causing your server-side scripts that use FPDI to crash or become unresponsive when processing malicious PDF files.

Repeated exploitation can lead to sustained denial of service, making your application or service unavailable to legitimate users.

The vulnerability affects system availability but does not compromise confidentiality or integrity of data.

Detection Guidance

This vulnerability manifests when a server-side script processing PDF files using FPDI crashes due to memory exhaustion or script time-outs caused by maliciously crafted PDF files with cyclic structures.

Detection involves monitoring for repeated crashes or service unavailability related to PDF processing, especially when handling uploaded PDF files.

Since the issue is triggered by processing malicious PDFs, you can detect attempts by inspecting logs for errors or crashes in the PHP application handling PDFs.

No specific commands are provided in the resources, but general approaches include:

  • Check web server and PHP error logs for memory exhaustion or timeout errors related to PDF processing.
  • Monitor application logs for repeated failures or crashes when processing uploaded PDF files.
  • Use network monitoring tools to detect repeated uploads of small PDF files that may be malicious.
  • If possible, test PDF files with known cyclic structures (e.g., xref_prev_loop.pdf or page_parent_loop.pdf) in a controlled environment to observe if the application crashes.
Mitigation Strategies

The primary and recommended mitigation is to update the FPDI library to version 2.6.7 or later, which includes fixes that prevent memory exhaustion and infinite loops caused by malicious PDF files.

No workarounds are available according to the advisory, so patching is essential.

After updating, verify that your application properly handles PDF uploads and that the new safeguards against cyclic structures are in place.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart