CVE-2026-22690 Overview
CVE-2026-22690 is a Denial of Service vulnerability in pypdf, a free and open-source pure-Python PDF library. Prior to version 6.6.0, pypdf is susceptible to potentially long runtimes when processing PDF files with missing /Root objects combined with large /Size values. An attacker can craft a malicious PDF that causes extended processing times for files that are technically invalid, potentially leading to resource exhaustion in applications that process untrusted PDF content.
Critical Impact
Applications using pypdf in non-strict reading mode may experience denial of service conditions when processing maliciously crafted PDF files with missing /Root entries and large /Size values.
Affected Products
- pypdf versions prior to 6.6.0
- Applications using pypdf non-strict reading mode for PDF processing
- Python applications processing untrusted PDF input with pypdf library
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-22690 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22690
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The issue exists in pypdf's non-strict reading mode, which is designed to handle partially broken or malformed PDF files more leniently. When processing a PDF file, pypdf examines the trailer dictionary to locate critical structural elements including the /Root object. By crafting a PDF that omits the /Root entry while specifying a large /Size value, an attacker can trigger resource-intensive operations that significantly extend processing time.
The vulnerability specifically affects the parsing logic that attempts to resolve page references and traverse the PDF object tree. Without proper validation and cycle detection, the parser can enter computationally expensive loops when handling these malformed structures.
Root Cause
The root cause lies in insufficient validation of PDF structural integrity during non-strict parsing. When the /Root entry is missing from the trailer dictionary, the parser should immediately reject the file or handle the error gracefully. Instead, the large /Size value causes the parser to allocate resources and attempt operations that are ultimately futile for invalid files. Additionally, the code lacked detection for cyclic page references, which could compound the resource consumption issue.
Attack Vector
The attack can be executed remotely by providing a maliciously crafted PDF file to any application using pypdf in non-strict mode. Attack scenarios include:
- Uploading malicious PDFs to web applications that process user-submitted documents
- Sending crafted PDFs via email to services with automatic PDF processing
- Providing malicious PDFs to document conversion or indexing services
The attack requires no authentication or special privileges, only the ability to submit a PDF file for processing.
for attr in inheritable_page_attributes:
if attr in pages:
inherit[attr] = pages[attr]
+ pages_reference = getattr(pages, "indirect_reference", object())
for page in cast(ArrayObject, pages[PagesAttributes.KIDS]):
+ if getattr(page, "indirect_reference", object()) == pages_reference:
+ raise PdfReadError("Detected cyclic page references.")
+
addt = {}
if isinstance(page, IndirectObject):
addt["indirect_reference"] = page
Source: GitHub Commit Changes
The patch adds detection for cyclic page references by tracking the pages_reference and comparing it against each page's indirect reference during iteration. When a cycle is detected, it raises a PdfReadError to prevent infinite loops.
Detection Methods for CVE-2026-22690
Indicators of Compromise
- Abnormally high CPU utilization during PDF processing operations
- Extended processing times for PDF files that should parse quickly
- Application hangs or timeouts when handling PDF uploads or conversions
- Memory consumption spikes in services processing PDF documents
Detection Strategies
- Monitor Python application logs for timeout errors during PDF processing with pypdf
- Implement resource monitoring for processes using the pypdf library
- Set up alerts for CPU usage anomalies in PDF processing services
- Track processing duration metrics for PDF operations and flag statistical outliers
Monitoring Recommendations
- Implement processing time limits for PDF parsing operations
- Add resource quotas for services handling untrusted PDF input
- Log and analyze PDF file characteristics (size, structure) before processing
- Monitor for repeated failures or timeouts from the same source
How to Mitigate CVE-2026-22690
Immediate Actions Required
- Upgrade pypdf to version 6.6.0 or later immediately
- Review all applications using pypdf and identify those operating in non-strict mode
- Implement processing timeouts for PDF parsing operations as a defense-in-depth measure
- Consider using strict mode for processing untrusted PDF files where possible
Patch Information
The vulnerability has been patched in pypdf version 6.6.0. The fix improves handling of partially broken PDF files by detecting cyclic page references and properly validating PDF structure. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-4xc4-762w-m6cg and the GitHub Pull Request Discussion.
Workarounds
- Use strict mode (strict=True) when instantiating PdfReader for untrusted input
- Implement timeout mechanisms around PDF processing operations
- Pre-validate PDF file structure before processing (check for required /Root entry)
- Apply file size limits and processing time constraints at the application level
# Upgrade pypdf to patched version
pip install --upgrade pypdf>=6.6.0
# Verify installed version
pip show pypdf | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
