Fluid Attacks Database

Description

pypdf: manipulated stream length values can exhaust RAM

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream.

Patches

This has been fixed in pypdf==6.8.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3675.

As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by open("file.pdf", mode="rb") for example. Passing a file path or a BytesIO buffer to pypdf instead does not seem to trigger the vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pypdf	>=0 <6.8.0	6.8.0
debian 11	pypdf2	=1.26.0-4 \|\| =1.26.0-4+deb11u1 \|\| =1.27.12-1 \|\| =1.27.9-1 \|\| =2.0.0-1 \|\| =2.10.0-1 \|\| =2.10.2-1 \|\| =2.10.3-1 \|\| =2.10.4-1 \|\| =2.10.5-1 \|\| =2.10.7-1 \|\| =2.10.9-1 \|\| =2.11.0-1 \|\| =2.11.1-1 \|\| =2.11.2-1 \|\| =2.12.1-1 \|\| =2.12.1-2 \|\| =2.12.1-3 \|\| =2.12.1-4 \|\| =2.4.1-1 \|\| =2.4.2-1 \|\| =2.6.0-1 \|\| =2.8.1-1 \|\| =2.9.0-1	-
debian 12	pypdf2	=2.12.1-3 \|\| =2.12.1-3+deb12u1 \|\| =2.12.1-4	-
debian 12	pypdf	=3.17.4-1 \|\| =3.4.1-1 \|\| =3.4.1-1+deb12u1 \|\| =4.0.0-1 \|\| =4.0.0-1~exp1 \|\| =4.0.1-1 \|\| =4.0.2-1 \|\| =4.1.0-1 \|\| =4.2.0-1 \|\| =4.3.1-1 \|\| =5.4.0-1 \|\| =6.9.0-1 \|\| =6.9.2-1	-
debian 13	pypdf	=5.4.0-1 \|\| =6.9.0-1 \|\| =6.9.2-1	-
debian 14	pypdf	=5.4.0-1 \|\| >=0 <6.9.0-1	6.9.0-1

Aliases

1. CVE-2026-318262. NVD-2026-318263. OSV-2026-318264. OSV-DEBIAN-2026-318265. GHSA-hqmh-ppp3-xvm76. GCVE-2026-318267. SECURITY-TRACKER-CVE-2026-31826

References

1. https://github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm72. https://github.com/py-pdf/pypdf/pull/36753. https://github.com/py-pdf/pypdf/commit/3c550b3196adeba1506a26e57c09c09fac75e9aa4. https://github.com/py-pdf/pypdf/releases/tag/6.8.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.