Infinite Loop Vulnerability in pypdf Library by PyPdf
CVE-2026-27024

6.9MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
20 February 2026

What is CVE-2026-27024?

The pypdf library, a popular open-source pure-Python PDF manipulation tool, contains a vulnerability that allows an attacker to craft a malicious PDF file leading to an infinite loop. This situation arises specifically during the processing of a TreeObject, commonly found in outlines within the PDF structure. Prior to version 6.7.1, this vulnerability could be exploited, but it has since been addressed in the latest release.

Affected Version(s)

pypdf < 6.7.1

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3645
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.