Memory Consumption Vulnerability in pypdf Library from py-pdf
CVE-2026-49461

6.9MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
22 June 2026

What is CVE-2026-49461?

The pypdf library, a popular pure-Python tool for handling PDF files, is vulnerable to a memory consumption issue affecting versions prior to 6.12.2. An attacker can exploit this vulnerability by crafting a malicious PDF that requires excessive memory usage during text extraction. This occurs specifically with PDFs containing form XObjects that reference themselves. Upgrading to version 6.12.2 resolves this concern, ensuring safer handling of PDFs.

Affected Version(s)

pypdf < 6.12.2

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3805
x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.12.2
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.