CVE-2026-31826

pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/py-pdf/pypdf/pull/3675
https://github.com/py-pdf/pypdf/releases/tag/6.8.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm7

Configurations

No configuration.

History

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) pypdf es una biblioteca PDF pura de Python, gratuita y de código abierto. Antes de la 6.8.0, un atacante que explota esta vulnerabilidad puede crear un PDF que provoca un gran consumo de memoria. Esto requiere analizar una secuencia de contenido con un valor /Length bastante grande, independientemente de la longitud real de los datos dentro de la secuencia. Esta vulnerabilidad está corregida en la 6.8.0.

10 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 22:16

Updated : 2026-03-11 13:52

NVD link : CVE-2026-31826

Mitre link : CVE-2026-31826

CVE.ORG link : CVE-2026-31826

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-31826", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T22:16:20.483", "references": [{"url": "https://github.com/py-pdf/pypdf/pull/3675", "source": "security-advisories@github.com"}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.8.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm7", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0."}, {"lang": "es", "value": "pypdf es una biblioteca PDF pura de Python, gratuita y de c\u00f3digo abierto. Antes de la 6.8.0, un atacante que explota esta vulnerabilidad puede crear un PDF que provoca un gran consumo de memoria. Esto requiere analizar una secuencia de contenido con un valor /Length bastante grande, independientemente de la longitud real de los datos dentro de la secuencia. Esta vulnerabilidad est\u00e1 corregida en la 6.8.0."}], "lastModified": "2026-03-11T13:52:47.683", "sourceIdentifier": "security-advisories@github.com"}