CVE-2026-48155: pypdf Denial of Service via Malicious PDF Memory Exhaustion
pypdf, a popular open-source PDF processing library, contains a denial-of-service vulnerability affecting versions prior to 6.12.0. An attacker can craft a malicious PDF file that, when processed by pypdf's text extraction feature in layout mode, triggers excessive memory consumption. This occurs specifically when the PDF contains large character offsets. The flaw does not compromise data confidentiality or integrity, but can render systems unresponsive or crash applications that depend on pypdf for PDF handling.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-48155 is a CWE-400 (Uncontrolled Resource Consumption) vulnerability in pypdf that manifests during text extraction operations performed in layout mode. When pypdf processes a specially crafted PDF with abnormally large character offset values, the library allocates memory without appropriate bounds checking, leading to unbounded memory growth. The vulnerability requires user interaction in the sense that text extraction must be explicitly called, but no elevated privileges are required. The attack vector is local (file-based), making it relevant to environments where untrusted PDFs are processed programmatically.
Business impact
Organizations relying on pypdf for automated PDF processing workflows—such as document management systems, data extraction pipelines, or report generation tools—face service availability risks. A single malicious PDF can exhaust system memory, potentially crashing the application or consuming resources needed by other processes. In multi-tenant or shared infrastructure scenarios, this could affect other users or services. The impact is particularly acute in headless server environments where PDF processing happens without user oversight.
Affected systems
pypdf versions prior to 6.12.0 are affected. This includes all 6.x versions before 6.12.0, and potentially earlier versions if they exist. Any application or service that directly embeds pypdf and calls text extraction methods in layout mode is at risk. Verify your pypdf version by checking your dependency manifest or running 'pip show pypdf'. Users of wrapper libraries or indirect dependencies on pypdf should trace their supply chain to confirm exposure.
Exploitability
Exploitability is moderate. An attacker must craft a malicious PDF file and convince or trick a user or system to process it with pypdf's text extraction feature in layout mode. No code execution or authentication bypass is possible. However, the barrier to creation is low—any attacker with knowledge of PDF structure and character offset manipulation can generate a proof-of-concept. Detection by standard PDF validators may be limited if offset validation is not a primary check. Automated systems that process PDFs from external or semi-trusted sources without resource limits are at highest risk.
Remediation
Upgrade pypdf to version 6.12.0 or later. This is the primary and recommended remediation. Organizations unable to upgrade immediately should implement compensating controls: (1) restrict text extraction to trusted PDF sources; (2) implement resource limits (memory caps, timeouts) around pypdf operations; (3) validate PDF structure before processing; (4) run pypdf in sandboxed or containerized environments with enforced memory quotas; (5) disable layout mode for text extraction if not essential to your workflow.
Patch guidance
Update pypdf via your package manager: 'pip install --upgrade pypdf' (ensure version 6.12.0 or higher is installed). Verify the installation by running 'pip show pypdf' and confirming the version. No database migrations, configuration changes, or application code modifications are required; the fix is internal to the library. Test in a non-production environment first to ensure compatibility with your application, though the upgrade should be transparent. For pinned dependencies, update your requirements.txt, Pipfile, or equivalent to 'pypdf>=6.12.0'.
Detection guidance
Monitor for symptoms of resource exhaustion correlated with pypdf text extraction operations: unusual memory growth, out-of-memory errors, or process crashes during PDF processing. Log PDF filenames and sources being processed. If feasible, integrate file integrity monitoring to detect anomalous PDFs with unusual structure. Application Performance Monitoring (APM) tools can alert on memory spikes. In network contexts, monitor for repeated attempts to submit PDFs to processing endpoints. Endpoint Detection and Response (EDR) solutions may flag memory exhaustion patterns but will not identify the root cause without application-level logging. No specific IDS/IPS signatures are yet available for this vulnerability.
Why prioritize this
This vulnerability warrants medium priority attention. While the CVSS score is 5.5 (Medium), the real-world priority depends on your specific use case. Organizations that process untrusted or external PDFs at scale, or operate shared infrastructure where resource denial affects multiple users, should prioritize this upgrade. Services with strict availability requirements should remediate sooner. Conversely, organizations that only process internally-generated PDFs with controlled workflows can defer slightly, but should still plan upgrade within 30 days. The fact that this is not yet in CISA's Known Exploited Vulnerabilities (KEV) catalog suggests active exploitation is not widespread, but the ease of exploitation means this could change.
Risk score, explained
The CVSS 3.1 score of 5.5 (Medium) reflects a local attack vector, low complexity, no privileges required, and user interaction (opening/processing a PDF). The attack results in high availability impact (denial of service via memory exhaustion) but no confidentiality or integrity impact. The score appropriately captures the availability risk but may underweight scenarios in which a single crafted PDF crashes critical infrastructure. Context-specific risk is higher for organizations running automated PDF processing pipelines without resource isolation. The absence from CISA's KEV list lowers immediate tactical risk but does not diminish strategic patching importance.
Frequently asked questions
Does this vulnerability allow an attacker to read or modify PDF contents?
No. CVE-2026-48155 is purely a denial-of-service vulnerability. It does not enable unauthorized access to data within PDFs, modification of PDF content, or execution of arbitrary code. The attacker's only objective is to consume system resources and render the application unavailable.
Do I need to upgrade if I only use pypdf for basic PDF reading and not text extraction in layout mode?
If you do not call pypdf's text extraction methods with layout mode enabled, your exposure is significantly reduced but not eliminated—verify your usage patterns. That said, upgrading to 6.12.0 is low-risk and recommended to future-proof against mode-switching or library misuse by other developers on your team. The upgrade should be transparent.
Can I mitigate this vulnerability without upgrading?
Partial mitigation is possible through compensating controls: (1) restrict PDF processing to known-safe, internally-generated sources; (2) implement strict memory and timeout limits around pypdf operations using OS-level cgroups or container resource constraints; (3) run pypdf in isolated worker processes or containers so a crash does not take down your main application. However, these are temporary measures. Upgrade should be your primary action.
Is there a public exploit or proof-of-concept for this vulnerability?
No public weaponized exploit is known at the time of publication. This vulnerability is not listed on CISA's KEV catalog, indicating limited evidence of active exploitation in the wild. However, the simplicity of the attack (crafting a malicious PDF) means an exploit could emerge quickly. Do not rely on the absence of public PoCs as justification for delaying patching.
This analysis is provided for informational purposes and reflects the vulnerability details and patch guidance available as of June 2026. Security assessments are context-dependent; your organization's risk may differ based on how pypdf is deployed and what data sources feed it. Upgrade recommendations assume standard operational environments; critical or highly customized deployments should conduct compatibility testing before patching. No warranty is provided regarding the completeness or timeliness of this analysis. Always refer to the official pypdf project advisory and your vendor documentation for authoritative patch and compatibility information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability