PDF Parsing Vulnerability in pypdf Library by PyPDF
CVE-2026-31826

6.8MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
10 March 2026

What is CVE-2026-31826?

The pypdf library, a widely used pure-python PDF library, has a vulnerability that allows an attacker to create a malicious PDF file capable of causing excessive memory consumption. This occurs when the library parses a content stream with a disproportionately large '/Length' value, irrespective of the actual size of the stream's data. The issue has been addressed in version 6.8.0, and users are advised to upgrade to this version or later to mitigate the risk associated with this vulnerability.

Affected Version(s)

pypdf < 6.8.0

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3675
x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.8.0
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.