Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
pypdf: Large PDFs can cause memory exhaustion
GHSA-7gw9-cf7v-778f
Summary
An attacker might create a large PDF that uses a specific compression method, which could cause the computer to run out of memory. This affects anyone using pypdf, a Python library for working with PDFs. To fix it, update pypdf to the latest version (6.10.2) or apply a temporary fix from a GitHub pull request (#3734) if an update isn't possible yet.
What to do
- Update stefan6419846 pypdf to version 6.10.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| PyPI | stefan6419846 | pypdf |
< 6.10.2 Fix: upgrade to 6.10.2
|
Original title
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Original description
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters.
### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3734](https://github.com/py-pdf/pypdf/pull/3734).
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters.
### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3734](https://github.com/py-pdf/pypdf/pull/3734).
osv CVSS4.0
7.3
Vulnerability type
CWE-789
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026