Possible Performance Issues in PDF Library Due to Malformed Entries
CVE-2026-22691

2.7LOW

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22691?

The pypdf library, a Python-based PDF processing tool, allows potential performance degradation due to long runtimes when handling malformed startxref entries. Attackers can exploit this flaw by crafting PDFs that lead to inefficient rebuilding of the cross-reference table, especially in non-strict reading mode. The issue primarily arises when dealing with PDFs containing excessive whitespace characters. This vulnerability has been addressed in version 6.6.0, improving the library's resilience against such crafted files.

Affected Version(s)

pypdf < 6.6.0

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3594
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/294165726b646bb779...
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.