PatchSiren cyber security CVE debrief
CVE-2026-48156 py-pdf CVE debrief
A denial-of-service vulnerability exists in pypdf prior to version 6.12.0. An attacker can craft a malicious PDF file that causes excessive processing time, leading to application slowdown or unavailability. The attack leverages cross-reference streams with /W [0 0 0] values combined with large /Size values in the PDF structure. This vulnerability has been assigned a CVSS 4.0 score of 5.1 (MEDIUM severity). The issue was disclosed on May 28, 2026, and a fix is available in pypdf 6.12.0.
- Vendor
- py-pdf
- Product
- pypdf
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations using pypdf for PDF processing in production environments, particularly those handling untrusted or user-submitted PDF files. Developers building document processing pipelines, automated PDF analysis tools, or web services that accept PDF uploads should prioritize this update. Security teams monitoring for denial-of-service vectors in document processing workflows should include this in their vulnerability management programs.
Technical summary
The vulnerability resides in pypdf's handling of PDF cross-reference streams. When a PDF contains a cross-reference stream with /W array set to [0 0 0] and a large /Size value, the library enters a state of excessive computation. The /W array defines field widths for cross-reference entries; a [0 0 0] value indicates zero-width fields, which when combined with large /Size values (defining the number of entries), can cause inefficient processing loops. This represents a classic algorithmic complexity issue (CWE-834: Excessive Iteration). The attack requires local access to the processing system (AV:L) but no user interaction or privileges. The primary impact is availability degradation through resource exhaustion.
Defensive priority
medium
Recommended defensive actions
- Upgrade pypdf to version 6.12.0 or later to remediate this vulnerability
- Implement input validation and size limits for PDF files processed by applications using pypdf
- Consider sandboxing or resource limits for PDF processing operations to mitigate potential denial-of-service impacts
- Monitor for anomalous processing times in PDF handling workflows as a potential indicator of exploitation attempts
Evidence notes
The vulnerability description indicates that malicious PDFs with specific cross-reference stream parameters (/W [0 0 0] and large /Size values) can trigger long runtimes. The fix was released in pypdf 6.12.0. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L) indicates local attack vector with low attack complexity, no privileges required, and low availability impact.
Official resources
2026-05-28