pypdf: Possible long runtimes for wrong size values in incremental mode

GHSA-4pxv-j86v-mhcw · CVE-2026-41313

Published Apr 16, 2026 · Modified May 6, 2026

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3735.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-4pxv-j86v-mhcw
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41313
WEB https://github.com/py-pdf/pypdf/pull/3735
WEB https://github.com/py-pdf/pypdf/commit/c50a0104cf083356f7c7f5d61410466a57f5c88a
PACKAGE https://github.com/py-pdf/pypdf
WEB https://github.com/py-pdf/pypdf/releases/tag/6.10.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes