Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
Adobe PDF Library (pypdf) can be crashed by a malicious PDF
CVE-2026-27888
GHSA-x7hp-r3qg-r3cj
CVE-2026-27888
Summary
A malicious PDF can cause the pypdf library to consume all available memory, potentially leading to a system crash. This affects users who use the pypdf library, especially those who handle PDFs from untrusted sources. To protect yourself, update to the latest version of pypdf (6.7.3 or later) or apply the provided patch manually.
What to do
- Update pypdf to version 6.7.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pypdf | <= 6.7.3 | 6.7.3 |
| pypdf_project | pypdf | <= 6.7.3 | – |
Original title
pypdf: Manipulated FlateDecode XFA streams can exhaust RAM
Original description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
nvd CVSS3.1
7.5
nvd CVSS4.0
6.6
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
- https://nvd.nist.gov/vuln/detail/CVE-2026-27888
- https://github.com/advisories/GHSA-x7hp-r3qg-r3cj
- https://github.com/py-pdf/pypdf/commit/7a4c8246ed48d9d328fb596942271da47b6d109c Patch
- https://github.com/py-pdf/pypdf/pull/3658 Issue Tracking Patch
- https://github.com/py-pdf/pypdf/releases/tag/6.7.3 Product Release Notes
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-x7hp-r3qg-r3cj Patch Vendor Advisory
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27888... Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026