An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements.
This has been fixed in pypdf==6.12.1.
If you cannot upgrade yet, consider applying the changes from PR #3796.
{
"github_reviewed_at": "2026-06-16T13:45:58Z",
"nvd_published_at": "2026-05-28T16:16:29Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-770"
],
"severity": "MODERATE"
}