pypdf Can Take a Long Time to Process Malformed PDFs

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

pypdf Can Take a Long Time to Process Malformed PDFs

CVE-2026-27026 GHSA-9mvc-8737-8j8h CVE-2026-27026

Summary

If you use pypdf, an attacker could create a PDF that would take a long time to process. This could potentially cause delays or slow down your system. Update to version 6.7.1 or later to fix this issue.

What to do

Update pypdf to version 6.7.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	pypdf	<= 6.7.1	6.7.1
pypdf_project	pypdf	<= 6.7.1	–

Original title

pypdf possibly has long runtimes for malformed FlateDecode streams

Original description

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.

nvd CVSS3.1 5.5

nvd CVSS4.0 6.9

Vulnerability type

CWE-770 Allocation of Resources Without Limits

https://nvd.nist.gov/vuln/detail/CVE-2026-27026
https://github.com/advisories/GHSA-9mvc-8737-8j8h
https://github.com/py-pdf/pypdf/commit/7905842d833f899f1d3228af7e7467ad80277016 Patch
https://github.com/py-pdf/pypdf/pull/3644 Issue Tracking Patch
https://github.com/py-pdf/pypdf/releases/tag/6.7.1 Product Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-9mvc-8737-8j8h Patch Vendor Advisory
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27026... Vendor Advisory

Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026