CVE-2026-27888

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27888.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/py-pdf/pypdf

Affected ranges

Type: GIT
Repo: https://github.com/py-pdf/pypdf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

05e6d3c03deaec6b16b53825465537ac9e7a1a14

Affected versions

1.*

1.26.0

1.27.0

1.27.1

1.27.10

1.27.11

1.27.12

1.27.2

1.27.3

1.27.4

1.27.5

1.27.6

1.27.7

1.27.8

1.27.9

1.28.0

1.28.1

1.28.2

2.*

2.0.0

2.1.0

2.1.1

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.10.8

2.10.9

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0

2.6.0

2.7.0

2.8.0

2.8.1

2.9.0

3.*

3.0.0

3.1.0

3.10.0

3.11.0

3.11.1

3.12.0

3.12.1

3.12.2

3.13.0

3.14.0

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.2.0

3.2.1

3.3.0

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.6.0

3.7.0

3.7.1

3.8.0

3.8.1

3.9.0

3.9.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.3.1

5.*

5.0.0

5.0.1

5.1.0

5.2.0

5.3.0

5.3.1

5.4.0

5.5.0

5.6.0

5.6.1

5.7.0

5.8.0

5.9.0

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.1.3

6.2.0

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.6.0

6.6.1

6.6.2

6.7.0

6.7.1

6.7.2

v1.*

v1.17

v1.18

v1.19

v1.20

v1.21

v1.22

v1.23

v1.24

v1.25

v1.25.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27888.json"