Fluid Attacks Database

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pypdf	=3.17.4-1 \|\| =3.4.1-1 \|\| =3.4.1-1+deb12u1 \|\| =4.0.0-1 \|\| =4.0.0-1~exp1 \|\| =4.0.1-1 \|\| =4.0.2-1 \|\| =4.1.0-1 \|\| =4.2.0-1 \|\| =4.3.1-1 \|\| =5.4.0-1 \|\| =6.9.0-1 \|\| =6.9.2-1	-
debian 14	pypdf	=5.4.0-1 \|\| >=0 <6.9.0-1	6.9.0-1
debian 11	pypdf2	=1.26.0-4 \|\| =1.26.0-4+deb11u1 \|\| =1.27.12-1 \|\| =1.27.9-1 \|\| =2.0.0-1 \|\| =2.10.0-1 \|\| =2.10.2-1 \|\| =2.10.3-1 \|\| =2.10.4-1 \|\| =2.10.5-1 \|\| =2.10.7-1 \|\| =2.10.9-1 \|\| =2.11.0-1 \|\| =2.11.1-1 \|\| =2.11.2-1 \|\| =2.12.1-1 \|\| =2.12.1-2 \|\| =2.12.1-3 \|\| =2.12.1-4 \|\| =2.4.1-1 \|\| =2.4.2-1 \|\| =2.6.0-1 \|\| =2.8.1-1 \|\| =2.9.0-1	-
pypi	pypdf	>=0 <6.6.2	6.6.2
debian 12	pypdf2	=2.12.1-3 \|\| =2.12.1-3+deb12u1 \|\| =2.12.1-4	-
debian 13	pypdf	=5.4.0-1 \|\| =6.9.0-1 \|\| =6.9.2-1	-

Aliases

1. CVE-2026-246882. NVD-2026-246883. OSV-DEBIAN-2026-246884. OSV-2026-246885. GHSA-2q4j-m29v-hq736. GCVE-2026-246887. SECURITY-TRACKER-CVE-2026-24688

References

1. https://github.com/JoakimBulow/CVE-2026-246882. https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq733. https://github.com/py-pdf/pypdf/pull/36104. https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec15. https://github.com/py-pdf/pypdf/releases/tag/6.6.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.