CVE-2026-24688

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

py-pdf / pypdf< 6.6.2 – < 6.6.2

References

VENDOR_ADVISORYhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73
PATCHhttps://github.com/py-pdf/pypdf/pull/3610
PATCHhttps://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1
PATCHhttps://github.com/py-pdf/pypdf/releases/tag/6.6.2