pypdf: Creating a malicious PDF can crash your system

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

pypdf: Creating a malicious PDF can crash your system

CVE-2026-28351 GHSA-f2v5-7jq9-h8cg

Summary

An attacker can crash your system by creating a PDF that uses a specific type of compression. This is fixed in version 6.7.4 of pypdf. If you can't update yet, consider applying a fix from a pull request.

What to do

Update pypdf to version 6.7.4.

Affected software

Vendor	Product	Affected versions	Fix available
–	pypdf	<= 6.7.4	6.7.4
pypdf_project	pypdf	<= 6.7.4	–

Original title

pypdf: Manipulated RunLengthDecode streams can exhaust RAM

Original description

### Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.

### Patches
This has been fixed in [pypdf==6.7.4](https://github.com/py-pdf/pypdf/releases/tag/6.7.4).

### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3664](https://github.com/py-pdf/pypdf/pull/3664).

nvd CVSS3.1 5.3

nvd CVSS4.0 6.9

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

https://github.com/py-pdf/pypdf/releases/tag/6.7.4 Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg Patch Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-28351
https://github.com/advisories/GHSA-f2v5-7jq9-h8cg
https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858 Patch
https://github.com/py-pdf/pypdf/pull/3664 Issue Tracking Patch

Published: 28 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026