Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22691

CVE-2026-22691: pypdf Library DoS Vulnerability

CVE-2026-22691 is a denial of service vulnerability in pypdf, a pure-python PDF library, caused by malformed startxref entries that trigger long runtimes. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2026-22691 Overview

CVE-2026-22691 is a Denial of Service vulnerability affecting pypdf, a free and open-source pure-Python PDF library. Prior to version 6.6.0, pypdf is susceptible to resource exhaustion when processing PDF files containing malformed startxref entries. An attacker can craft a malicious PDF document that causes extended runtimes when the library attempts to rebuild the cross-reference table, particularly when the file contains excessive whitespace characters. This vulnerability only affects the non-strict reading mode of pypdf.

Critical Impact

Maliciously crafted PDF files can cause prolonged processing times, leading to resource exhaustion and potential denial of service in applications using pypdf in non-strict mode.

Affected Products

  • pypdf versions prior to 6.6.0
  • Applications using pypdf in non-strict reading mode
  • Python-based PDF processing pipelines leveraging pypdf

Discovery Timeline

  • 2026-01-10 - CVE CVE-2026-22691 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2026-22691

Vulnerability Analysis

This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The issue occurs during the cross-reference table rebuilding process in pypdf when operating in non-strict reading mode. When the library encounters a PDF file with an invalid or malformed startxref entry, it attempts to parse and reconstruct the cross-reference table. If the PDF contains large amounts of whitespace characters, this parsing operation can become computationally expensive, consuming excessive CPU time and potentially causing the application to become unresponsive.

The startxref keyword in a PDF file indicates the byte offset where the cross-reference table begins. When this value is malformed or points to an invalid location, pypdf's non-strict mode attempts to recover by searching through the document to locate valid cross-reference information. This recovery mechanism becomes problematic when the document is crafted with excessive whitespace, causing the parser to spend significant time iterating through meaningless content.

Root Cause

The root cause lies in the insufficient bounds checking and optimization during the cross-reference table rebuilding process. When pypdf operates in non-strict mode, it provides lenient parsing to handle slightly malformed PDF documents. However, this leniency creates an algorithmic complexity vulnerability where documents with large whitespace regions combined with invalid startxref entries trigger worst-case parsing scenarios. The library lacks adequate safeguards to limit processing time or detect patterns indicative of malicious documents.

Attack Vector

The attack is network-accessible, requiring no authentication or user interaction beyond the victim application processing a malicious PDF file. An attacker can exploit this vulnerability by:

  1. Creating a PDF file with a deliberately malformed startxref entry pointing to an invalid location
  2. Inserting large quantities of whitespace characters throughout the document
  3. Delivering this malicious PDF to an application using pypdf in non-strict reading mode
  4. The application attempts to parse the PDF, triggering the inefficient cross-reference rebuilding process
  5. The application experiences extended processing times, potentially leading to service degradation or denial

Applications that accept PDF uploads from untrusted sources, automated PDF processing pipelines, and web services that parse user-submitted PDFs are particularly at risk.

Detection Methods for CVE-2026-22691

Indicators of Compromise

  • Unusually high CPU utilization during PDF processing operations
  • Extended processing times for PDF file parsing tasks
  • Application timeouts or unresponsiveness when handling specific PDF files
  • PDF files with abnormally large file sizes relative to their content
  • Log entries indicating failures or timeouts in PDF parsing functions

Detection Strategies

  • Monitor pypdf version in application dependencies and flag any version below 6.6.0
  • Implement processing time thresholds for PDF parsing operations and alert on exceeding limits
  • Deploy file size and complexity analysis on incoming PDF files before processing
  • Use static analysis tools to identify pypdf usage patterns, particularly non-strict mode configurations
  • Review application logs for recurring PDF parsing failures or performance anomalies

Monitoring Recommendations

  • Establish baseline metrics for PDF processing times and monitor for significant deviations
  • Implement resource usage monitoring (CPU, memory) on systems running pypdf-based applications
  • Configure alerting for PDF processing tasks that exceed expected duration thresholds
  • Track the ratio of PDF file size to processing time as an anomaly detection metric

How to Mitigate CVE-2026-22691

Immediate Actions Required

  • Upgrade pypdf to version 6.6.0 or later immediately
  • Review applications for non-strict mode usage and consider switching to strict mode where feasible
  • Implement processing timeouts for all PDF parsing operations as a defense-in-depth measure
  • Validate and sanitize PDF files from untrusted sources before processing
  • Consider implementing file size limits for uploaded PDF documents

Patch Information

The vulnerability has been addressed in pypdf version 6.6.0. The fix was implemented in commit 294165726b646bb7799be1cc787f593f2fdbcf45 and is tracked in GitHub Pull Request #3594. Users should update to the patched version by running pip install --upgrade pypdf>=6.6.0. Additional details are available in the GitHub Security Advisory GHSA-4f6g-68pf-7vhv and the release notes for version 6.6.0.

Workarounds

  • Enable strict mode when parsing PDF files by setting strict=True in pypdf reader initialization
  • Implement processing timeouts using Python's signal module or threading-based timeout mechanisms
  • Pre-validate PDF structure using alternative tools before passing to pypdf
  • Deploy input file size restrictions to limit exposure to large malicious documents
  • Isolate PDF processing in separate worker processes with resource limits
bash
# Upgrade pypdf to patched version
pip install --upgrade pypdf>=6.6.0

# Verify installed version
pip show pypdf | grep Version

# Alternative: Pin to specific patched version in requirements.txt
echo "pypdf>=6.6.0" >> requirements.txt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechPypdf
  • SeverityLOW
  • CVSS Score2.7
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-400
  • Technical References
  • GitHub Commit Update
  • GitHub Pull Request Discussion
  • GitHub Release 6.6.0
  • GitHub Security Advisory GHSA-4f6g-68pf-7vhv
  • Related CVEs
  • CVE-2026-41314: pypdf Library DoS Vulnerability
  • CVE-2026-41313: pypdf Library DoS Vulnerability
  • CVE-2026-41312: pypdf Library DoS Vulnerability
  • CVE-2026-41168: pypdf Library DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English