CVE-2026-22691

EUVD-2026-1691

10.01.2026, 05:16

pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
pypdf_project	pypdf	𝑥 < 6.6.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

pypdf

bookworm	no-dsa
forky	6.9.2-1 fixed
sid	6.9.2-1 fixed
trixie	no-dsa

pypdf2

bookworm	no-dsa
bullseye	postponed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45

https://github.com/py-pdf/pypdf/pull/3594

https://github.com/py-pdf/pypdf/releases/tag/6.6.0

https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv