Memory Exhaustion Issue in pypdf Library
CVE-2026-27025

6.9MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
20 February 2026

What is CVE-2026-27025?

The pypdf library, a popular open-source PDF manipulation tool, harbors a memory exhaustion vulnerability in versions prior to 6.7.1. This issue arises when an attacker crafts a malicious PDF file that exploits excessively large values in the /ToUnicode entry of a font. As a consequence, applications utilizing the library may experience prolonged runtimes and increased memory consumption, particularly during text extraction processes. Users are encouraged to upgrade to version 6.7.1 or later to mitigate this vulnerability.

Affected Version(s)

pypdf < 6.7.1

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3646
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/77d7b8d7cfbe8dd179...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.