CVE-2026-48155 py-pdf CVE debrief

Who should care

Organizations using pypdf for PDF text extraction, particularly in layout mode, should prioritize this update. This includes document processing pipelines, content management systems, and any Python applications that extract text from untrusted PDF sources. Developers building PDF processing services should implement the recommended upgrade and input validation measures.

Technical summary

The vulnerability stems from improper handling of large character offsets during PDF text extraction in layout mode. When processing maliciously crafted PDFs with extreme offset values, pypdf allocates excessive memory, potentially causing denial of service through resource exhaustion. The attack requires local access and user interaction (opening/processing a malicious PDF), with low attack complexity. The CVSS 4.0 score of 4.8 reflects limited availability impact with no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade pypdf to version 6.12.0 or later to remediate this vulnerability
• Review applications using pypdf for text extraction in layout mode and assess exposure to untrusted PDF sources
• Monitor memory usage when processing PDFs with large character offsets in layout mode
• Validate and sanitize PDF inputs from untrusted sources before text extraction
• Consider implementing resource limits (memory caps, timeouts) for PDF processing workflows

Evidence notes

Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-cj93-chg6-vgv8. Fix commit available in pull request #3790. CVSS 4.0 vector indicates local attack vector with low attack complexity, requiring user interaction but no privileges.

Official resources