CVE-2026-22690

EUVD-2026-1878

10.01.2026, 05:16

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
pypdf_project	pypdf	𝑥 < 6.6.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

pypdf

bookworm	no-dsa
bullseye	postponed
forky	vulnerable
sid	vulnerable
trixie	no-dsa

pypdf2

bookworm	no-dsa
bullseye	postponed
trixie	no-dsa

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45

https://github.com/py-pdf/pypdf/pull/3594

https://github.com/py-pdf/pypdf/releases/tag/6.6.0

https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg