SB2026022023 - Multiple vulnerabilities in PyPDF

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2026-27024)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing TreeObject. A remote attacker can use a specially crafted PDF and cause denial of service conditions.

2) Resource exhaustion (CVE-ID: CVE-2026-27026)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within /FlateDecode stream. A remote attacker can use a specially crafted PDF, trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Excessive Iteration (CVE-ID: CVE-2026-27025)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within /ToUnicode streams. A remote attacker can use a specially crafted PDF and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq
• https://github.com/py-pdf/pypdf/security/advisories/GHSA-9mvc-8737-8j8h
• https://github.com/py-pdf/pypdf/security/advisories/GHSA-wgvp-vg3v-2xq3