CVE-2026-59937
Received Received - Intake

Denial of Service in pypdf via Malformed Cross-Reference Streams

Vulnerability report for CVE-2026-59937, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.0, an attacker can craft a PDF with repeated malformed cross-reference streams that cause pypdf to spend long runtimes recovering broken cross-reference table entries. This issue is fixed in version 6.14.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
py_pdf pypdf to 6.14.0 (exc)
py_pdf pypdf 6.14.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in pypdf (CVE-2026-59937) involves the handling of malformed PDF files that contain repeated broken cross-reference streams. Prior to version 6.14.0, an attacker could craft such a PDF to cause pypdf to spend excessive time trying to recover broken cross-reference table entries, leading to long runtimes.

This happens because the library used a regex-based search method to find object numbers in the PDF, which was inefficient when processing many invalid entries. The issue was fixed by replacing this with a more efficient string-based parsing method that scans the entire file once and caches object locations for faster subsequent lookups.

Impact Analysis

This vulnerability can lead to uncontrolled resource consumption, specifically causing pypdf to spend a long time processing specially crafted malformed PDF files. This can degrade performance or cause denial of service by making the application using pypdf unresponsive or slow.

Since the issue involves excessive runtime during PDF parsing, it could be exploited by an attacker to disrupt services that rely on pypdf for PDF processing.

Detection Guidance

This vulnerability involves pypdf processing specially crafted PDF files with repeated malformed cross-reference streams that cause long runtimes. Detection would involve identifying PDF files that trigger excessive processing time or resource consumption when parsed by vulnerable versions of pypdf (prior to 6.14.0).

Since the issue is related to performance degradation during PDF parsing, one approach is to monitor logs or system resource usage for unusually high CPU or memory consumption when handling PDF files with pypdf.

There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The primary mitigation step is to upgrade pypdf to version 6.14.0 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, users can apply the changes from pull request #3887 as a workaround, which improves the recovery process by caching object locations and replacing inefficient regex-based parsing.

Additionally, monitoring and limiting the processing of suspicious or malformed PDF files can help reduce the risk of resource exhaustion.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59937. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart