Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Adobe Acrobat: Malicious PDFs can cause memory crashes
GHSA-3crg-w4f6-42mx
CVE-2026-40260
Summary
A malicious PDF can be crafted to consume all available memory on a system that uses the pypdf library, potentially causing the program to freeze or crash. This affects systems that parse XMP metadata in PDFs. To fix, update to pypdf version 6.10.0 or apply a temporary patch found in the provided GitHub pull request.
What to do
- Update stefan6419846 pypdf to version 6.10.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| PyPI | stefan6419846 | pypdf |
< 6.10.0 Fix: upgrade to 6.10.0
|
Original title
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can c...
Original description
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
osv CVSS4.0
7.8
Vulnerability type
CWE-776
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mx URL
- https://github.com/py-pdf/pypdf/pull/3724 URL
- https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8 URL
- https://github.com/py-pdf/pypdf Product
- https://github.com/py-pdf/pypdf/releases/tag/6.10.0 URL
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 10 Apr 2026