CVE-2026-48155
published 2026-05-28CVE-2026-48155: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory…
PriorityP421medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.13%
2.7th percentile
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| openshift-lightspeed-tech-preview | lightspeed-rag-tool-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| py-pdf | pypdf | < 6.12.0 | 6.12.0 |
| pypdf_project | pypdf | < 6.12.0 | 6.12.0 |
| pypdf_project | pypdf | >= 0 < 6.12.0 | 6.12.0 |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.04.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pypdf: Possible large memory usage for large offsets for layout mode text
ghsa·2026-06-12
CVE-2026-48155 [MEDIUM] CWE-400 pypdf: Possible large memory usage for large offsets for layout mode text
pypdf: Possible large memory usage for large offsets for layout mode text
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets.
### Patches
This has been fixed in [pypdf==6.12.0](https://github.com/py-pdf/pypdf/releases/tag/6.12.0).
### Workarounds
If developers are unable to immediately upgrade, they should consider applying the changes from PR [#3790](https://github.com/py-pdf/pypdf/pull/3790).
Red Hat
pypdf: pypdf: Denial of Service via crafted PDF with large character offsets
vendor_redhat·2026-05-28·CVSS 4.8
CVE-2026-48155 [MEDIUM] CWE-770 pypdf: pypdf: Denial of Service via crafted PDF with large character offsets
pypdf: pypdf: Denial of Service via crafted PDF with large character offsets
A flaw was found in pypdf, a free and open-source pure-python PDF library. An attacker can craft a malicious PDF file that, when processed, leads to excessive memory consumption. This occurs when extracting text in layout mode with large character offsets. This vulnerability can result in a Denial of Service (DoS) due to large memory usage.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: exploit-intelligence-tech-preview/vulnerability-analysis-rhel9 (Exploit Intelligence) - Fix deferred
Package: openshift-l
No detection rules found.
No public exploits indexed.
2026-05-28
Published