Potential Processing Delays in pypdf Library Versions by PyPDF
CVE-2026-22690

2.7LOW

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22690?

The pypdf library, an open-source pure Python PDF processor, is vulnerable to significant performance degradation due to malformed PDF files. Specifically, the absence of a /Root object combined with large /Size values can lead to excessive run times when processing these invalid files. This issue primarily affects the library's non-strict reading mode. A fix has been implemented in version 6.6.0, ensuring that users of the library can avoid these processing delays when handling potentially malicious PDF documents.

Affected Version(s)

pypdf < 6.6.0

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3594
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/294165726b646bb779...
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.