pypdf: Manipulated FlateDecode image dimensions can exhaust RAM

GHSA-x284-j5p8-9c5p · CVE-2026-41314

Published Apr 16, 2026 · Modified May 6, 2026

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3734.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41314
WEB https://github.com/py-pdf/pypdf/pull/3734
WEB https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11
PACKAGE https://github.com/py-pdf/pypdf
WEB https://github.com/py-pdf/pypdf/releases/tag/6.10.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes