PYSEC-2026-1836

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pypdf2/PYSEC-2026-1836.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1836
Aliases
Published
2026-07-07T11:45:19.767457Z
Modified
2026-07-07T17:46:59.504076185Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects
Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF.

Patches

The issue was fixed with https://github.com/py-pdf/pypdf/pull/1331

Workarounds

If you cannot update your version of PyPDF2 (preferably to pypdf>3.1.0 as PyPDF2 is deprecated), you should modify PyPDF2/generic/_data_structures.py::read_object.

Replace:

    else:
        # number object OR indirect reference
        peek = stream.read(20)
        stream.seek(-len(peek), 1)  # reset to start
        if IndirectPattern.match(peek) is not None:
            return IndirectObject.read_from_stream(stream, pdf)
        else:
            return NumberObject.read_from_stream(stream)

by

    elif tok in b"0123456789+-.":
        # number object OR indirect reference
        peek = stream.read(20)
        stream.seek(-len(peek), 1)  # reset to start
        if IndirectPattern.match(peek) is not None:
            return IndirectObject.read_from_stream(stream, pdf)
        else:
            return NumberObject.read_from_stream(stream)
    else:
        raise PdfReadError(
            f"Invalid Elementary Object starting with {tok} @{stream.tell()}"
        )

References

References

Affected packages

PyPI / pypdf2

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.10.5
Fixed
2.10.6

Affected versions

2.*
2.10.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pypdf2/PYSEC-2026-1836.yaml"