Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.3

PyPDF: Malicious PDFs Can Cause Memory Exhaustion

CVE-2026-31826 GHSA-hqmh-ppp3-xvm7 GHSA-hqmh-ppp3-xvm7
Summary

PyPDF, a Python library for working with PDFs, can be tricked into using up all your computer's memory if you open a specially crafted PDF file. This is a security risk because it could cause your computer to slow down or even crash. To stay safe, make sure you're using the latest version of PyPDF, at least 6.8.0, or apply the suggested changes if you can't update right away.

What to do
  • Update pypdf to version 6.8.0.
Affected software
VendorProductAffected versionsFix available
– pypdf <= 6.8.0 6.8.0
Original title
pypdf: manipulated stream length values can exhaust RAM
Original description
### Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large `/Length` value, regardless of the actual data length inside the stream.

### Patches
This has been fixed in [pypdf==6.8.0](https://github.com/py-pdf/pypdf/releases/tag/6.8.0).

### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3675](https://github.com/py-pdf/pypdf/pull/3675).

As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by `open("file.pdf", mode="rb")` for example. Passing a file path or a `BytesIO` buffer to *pypdf* instead does not seem to trigger the vulnerability.
nvd CVSS4.0 6.8
Vulnerability type
CWE-770 Allocation of Resources Without Limits
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026