Long Runtime Vulnerability in pypdf Library by py-pdf
CVE-2026-27026

6.9MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
20 February 2026

What is CVE-2026-27026?

The pypdf library, a widely-used open-source pure-Python PDF manipulation tool, is affected by a vulnerability that can be exploited by attackers to induce prolonged processing times. This can occur when a user attempts to open a specifically crafted PDF file containing a malformed /FlateDecode stream. By leveraging this vulnerability, an attacker can cause excessive CPU usage, resulting in a denial of service for users attempting to access affected documents. The issue has been addressed in version 6.7.1 of the library, underscoring the necessity for users to update to the latest version for protection against this type of attack.

Affected Version(s)

pypdf < 6.7.1

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3644
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/7905842d833f899f1d...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.