CVE-2026-59936
Received Received - Intake

Infinite Loop in PyPDF Due to Unterminated Inline Image

Vulnerability report for CVE-2026-59936, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.1, an attacker can craft a PDF with a page content stream containing a not terminated inline image, causing an infinite loop during inline image end marker detection such as when extracting page text. This issue is fixed in version 6.14.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
py-pdf pypdf to 6.14.1 (exc)
py_pdf pypdf 6.14.1
py_pdf pypdf to 6.14.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-59936 is a vulnerability in the pypdf library, a pure-python PDF library. Before version 6.14.1, an attacker could craft a PDF file containing a page with an inline image that is not properly terminated. This malformed inline image causes the library to enter an infinite loop when trying to detect the end marker of the inline image during operations such as extracting text from the page.

The issue arises because the code did not properly handle the case where the inline image stream ended unexpectedly, leading to an infinite loop in the parsing process.

This vulnerability was fixed in version 6.14.1 by adding checks to detect the end of the stream properly and raise an error if the stream ends unexpectedly.

Impact Analysis

This vulnerability can cause the pypdf library to enter an infinite loop when processing a crafted PDF file with a malformed inline image. This infinite loop can lead to denial of service by making the application using pypdf hang or become unresponsive during PDF text extraction or other parsing operations.

Since the vulnerability requires no privileges or user interaction and can be triggered remotely by processing a malicious PDF, it poses a risk to any system or application that uses pypdf to handle untrusted PDF files.

Detection Guidance

This vulnerability involves an infinite loop triggered by a crafted PDF containing a not terminated inline image during text extraction. Detection involves identifying PDFs that cause the pypdf library to hang or enter an infinite loop when processing page content streams.

Since the issue occurs during inline image end marker detection in pypdf, one way to detect it is by running a test script that attempts to extract text from suspicious PDF files using pypdf versions prior to 6.14.1 and observing if the process hangs or crashes.

The patched version raises a PdfStreamError with the message "Unexpected end of stream." when encountering malformed inline images. You can write a test script to catch this exception to identify problematic PDFs.

Example Python snippet to detect the issue (using pypdf < 6.14.1):

  • Try extracting text from a PDF file using pypdf and monitor for infinite loops or hangs.
  • Use a try-except block to catch PdfStreamError exceptions if using the patched version.

No specific network commands or system-level commands are provided in the resources.

Mitigation Strategies

The primary mitigation step is to upgrade the pypdf library to version 6.14.1 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, users can apply the changes from pull request #3891 as a workaround to detect the end of stream properly and avoid infinite loops.

Avoid processing untrusted or suspicious PDF files with vulnerable versions of pypdf to reduce the risk of triggering the infinite loop.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart