pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM

GHSA-7gw9-cf7v-778f · CVE-2026-41312

Published Apr 16, 2026 · Modified May 6, 2026

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3734.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41312
WEB https://github.com/py-pdf/pypdf/pull/3734
WEB https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11
PACKAGE https://github.com/py-pdf/pypdf
WEB https://github.com/py-pdf/pypdf/releases/tag/6.10.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes