CVE-2026-22690

Description

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Unchanged

Affected products

py-pdf / pypdf< 6.6.0 – < 6.6.0

References

VENDOR_ADVISORYhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
PATCHhttps://github.com/py-pdf/pypdf/pull/3594
PATCHhttps://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
PATCHhttps://github.com/py-pdf/pypdf/releases/tag/6.6.0