CVE-2026-48156
published 2026-05-28CVE-2026-48156: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes…
PriorityP411low3.3CVSS 3.1
AVLACLPRNUIRSUCNINAL
EPSS
0.12%
2.5th percentile
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| openshift-lightspeed-tech-preview | lightspeed-rag-tool-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| py-pdf | pypdf | < 6.12.0 | 6.12.0 |
| pypdf_project | pypdf | < 6.12.0 | 6.12.0 |
| pypdf_project | pypdf | >= 0 < 6.12.0 | 6.12.0 |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-llama-stack-core-rhel9 | — | — |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
nvdv4.05.1MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pypdf: pypdf: Denial of Service via crafted PDF
vendor_redhat·2026-05-28·CVSS 5.1
CVE-2026-48156 [MEDIUM] CWE-606 pypdf: pypdf: Denial of Service via crafted PDF
pypdf: pypdf: Denial of Service via crafted PDF
A flaw was found in pypdf, a free and open-source pure-python PDF library. A remote attacker could exploit this vulnerability by crafting a malicious PDF file. This file, containing specific cross-reference streams with `/W [0 0 0]` values and large `/Size` values, can lead to excessively long processing times. This can result in a Denial of Service (DoS) for applications processing such PDFs.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: exploit-intelligence-tech-preview/vulnerability-analysis-rhel9 (Exploit Intelligence) - Fix defer
GHSA
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
ghsa·2026-06-12
CVE-2026-48156 [MEDIUM] CWE-834 pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with `/W [0 0 0]` values and large `/Size` values.
### Patches
This has been fixed in [pypdf==6.12.0](https://github.com/py-pdf/pypdf/releases/tag/6.12.0).
### Workarounds
If developers are unable to upgrade their apps immediately, they should consider applying the changes from PR [#3791](https://github.com/py-pdf/pypdf/pull/3791).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48156 python-PyPDF2: pypdf: Denial of Service via crafted PDF [fedora-all]
bugzilla·2026-06-04·CVSS 5.1
CVE-2026-48156 [MEDIUM] CVE-2026-48156 python-PyPDF2: pypdf: Denial of Service via crafted PDF [fedora-all]
CVE-2026-48156 python-PyPDF2: pypdf: Denial of Service via crafted PDF [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48156 python-pypdf: pypdf: Denial of Service via crafted PDF [fedora-all]
bugzilla·2026-06-04·CVSS 5.1
CVE-2026-48156 [MEDIUM] CVE-2026-48156 python-pypdf: pypdf: Denial of Service via crafted PDF [fedora-all]
CVE-2026-48156 python-pypdf: pypdf: Denial of Service via crafted PDF [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48156 pypdf: pypdf: Denial of Service via crafted PDF
bugzilla·2026-05-28·CVSS 5.1
CVE-2026-48156 [MEDIUM] CVE-2026-48156 pypdf: pypdf: Denial of Service via crafted PDF
CVE-2026-48156 pypdf: pypdf: Denial of Service via crafted PDF
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
2026-05-28
Published