Allocation of Resources Without Limits or Throttling in pypdf | CVE-2026-28351

Q: How to fix?

Upgrade pypdf to version 6.7.4 or higher.

Introduced: 28 Feb 2026

NewCVE-2026-28351 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade pypdf to version 6.7.4 or higher.

Overview

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the RunLengthDecode filter, implemented in filters.py. An attacker can cause excessive memory consumption by submitting a malicious PDF file containing a compressed payload that is very large when uncompressed.

Note: This is only exploitable if the content stream is parsed using the RunLengthDecode filter.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting pypdf package, versions [,6.7.4)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 28 Feb 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk