An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor.
This has been fixed in pypdf==6.12.2.
If you cannot upgrade yet, consider applying the changes from PR #3806.
{
"github_reviewed_at": "2026-06-16T13:46:42Z",
"nvd_published_at": null,
"github_reviewed": true,
"cwe_ids": [
"CWE-407"
],
"severity": "MODERATE"
}