pypdf has possible long runtimes for malformed startxref

GHSA-4f6g-68pf-7vhv · CVE-2026-22691

Published Jan 9, 2026 · Modified Jan 11, 2026

Description

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter


# Instead of
reader = PdfReader("file.pdf")
# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")
# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #3594.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22691
WEB https://github.com/py-pdf/pypdf/pull/3594
WEB https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
PACKAGE https://github.com/py-pdf/pypdf
WEB https://github.com/py-pdf/pypdf/releases/tag/6.6.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes