CVE-2026-59935

py-pdf · pypdf

The pypdf library is susceptible to an infinite loop vulnerability caused by an unreachable exit condition when processing malformed PDF files.

Executive summary

A high-severity infinite loop vulnerability in pypdf allows unauthenticated attackers to cause a denial-of-service condition through resource exhaustion.

Vulnerability

This vulnerability (CWE-835) exists due to an improperly handled exit condition during PDF parsing. An unauthenticated attacker can supply a specially crafted PDF file that forces the application into an infinite loop, consuming excessive CPU resources.

Business impact

Successful exploitation of this flaw results in a denial-of-service (DoS) condition, rendering the affected application or service unresponsive. Given the CVSS score of 8.7, the impact on availability is significant, potentially disrupting critical business operations that rely on PDF document processing.

Remediation

Immediate Action: Upgrade to pypdf version 6.14.2 or later to apply the necessary fix for the infinite loop logic.

Proactive Monitoring: Monitor server CPU utilization and process duration logs for anomalies or spikes associated with PDF processing tasks.

Compensating Controls: Implement resource limits (e.g., cgroups or timeout configurations) on the processing environment to prevent a single malicious file from exhausting server resources.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Organizations utilizing pypdf for document handling should prioritize updating to the patched version 6.14.2 to mitigate the risk of denial-of-service attacks against their infrastructure.