Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Old Versions of pypdf Can Be Hacked to Crash Your Computer
DEBIAN-CVE-2026-40260
Summary
Old versions of the pypdf library can be exploited by an attacker to create a PDF that uses up all your computer's memory, potentially causing it to crash. This can happen if someone sends you a malicious PDF that takes a long time to process. To fix this, update to version 6.10.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:12 | debian | pypdf | All versions |
| Debian:13 | debian | pypdf | All versions |
| Debian:14 | debian | pypdf | All versions |
| Debian:11 | debian | pypdf2 | All versions |
| Debian:12 | debian | pypdf2 | All versions |
Original title
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can c...
Original description
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
- https://security-tracker.debian.org/tracker/CVE-2026-40260 Vendor Advisory
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026