CVE-2026-27628 Overview
CVE-2026-27628 is an Infinite Loop vulnerability in pypdf, a free and open-source pure-python PDF library. Prior to version 6.7.2, an attacker can craft a malicious PDF document that causes the library to enter an infinite loop when the file is read. This vulnerability specifically affects the cross-reference (xref) table parsing functionality, where circular /Prev references can cause the parser to loop indefinitely.
Critical Impact
Maliciously crafted PDF files can cause applications using pypdf to hang indefinitely, leading to Denial of Service conditions in PDF processing workflows.
Affected Products
- pypdf versions prior to 6.7.2
- Applications and services using vulnerable pypdf versions for PDF processing
- Python-based document processing pipelines utilizing pypdf
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27628 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27628
Vulnerability Analysis
This vulnerability falls under CWE-835 (Loop with Unreachable Exit Condition), commonly known as an Infinite Loop vulnerability. The issue exists in pypdf's PDF reader component, specifically in how it processes the cross-reference (xref) table chain when parsing PDF documents.
PDF files use cross-reference tables to track object locations within the document. These tables can be chained together using /Prev references, which point to previous xref sections. When a malicious PDF is crafted with circular /Prev references (where an xref section eventually points back to itself or a previous section in the chain), the parser enters an infinite loop as it continuously follows the circular reference chain.
The attack requires user interaction—the malicious PDF must be opened or processed by an application using the vulnerable pypdf library. While the impact is limited to availability (causing the application to hang), this can be significant in automated document processing systems, web applications that handle PDF uploads, or any service that processes PDFs from untrusted sources.
Root Cause
The root cause is insufficient validation of xref table offset references during PDF parsing. The _reader.py module did not track previously visited xref offsets, allowing the parser to follow circular /Prev chains indefinitely without detecting the loop condition.
Attack Vector
The attack is network-accessible, as malicious PDFs can be delivered via email, web uploads, or any file transfer mechanism. The attacker creates a PDF with a self-referencing or circular xref chain. When the target application opens or parses this file using pypdf, the library's reader enters an infinite loop, consuming CPU resources and causing the application to become unresponsive.
self.xref_free_entry = {}
self.xref_objStm = {}
self.trailer = DictionaryObject()
+ visited_xref_offsets: set[int] = set()
while startxref is not None:
+ # Detect circular /Prev references in the xref chain
+ if startxref in visited_xref_offsets:
+ logger_warning(
+ f"Circular xref chain detected at offset {startxref}, stopping",
+ __name__,
+ )
+ break
+ visited_xref_offsets.add(startxref)
# load the xref table
stream.seek(startxref, 0)
x = stream.read(1)
Source: GitHub Commit Details
Detection Methods for CVE-2026-27628
Indicators of Compromise
- Applications or processes using pypdf become unresponsive when processing specific PDF files
- Elevated CPU usage in Python processes handling PDF documents
- PDF files with suspicious xref table structures containing circular /Prev references
- Process hangs or timeouts in document processing pipelines
Detection Strategies
- Monitor for Python processes with excessive CPU usage during PDF parsing operations
- Implement timeout mechanisms around PDF processing operations to detect infinite loops
- Review application logs for stuck or unresponsive PDF processing tasks
- Scan for pypdf versions prior to 6.7.2 in application dependencies
Monitoring Recommendations
- Implement resource limits and timeouts for PDF processing operations
- Set up alerts for processes that exceed expected processing duration for PDF files
- Monitor application performance metrics during PDF handling operations
- Track pypdf library versions across development and production environments
How to Mitigate CVE-2026-27628
Immediate Actions Required
- Upgrade pypdf to version 6.7.2 or later immediately
- Audit applications and dependencies to identify all instances of vulnerable pypdf versions
- Implement timeout mechanisms for PDF processing as a defensive measure
- Consider sandboxing PDF processing operations to limit impact of potential DoS
Patch Information
The vulnerability has been fixed in pypdf version 6.7.2. The patch introduces tracking of visited xref offsets to detect and break circular reference chains. Users should upgrade to this version or later using pip:
pip install --upgrade pypdf>=6.7.2
For detailed information about the fix, see the GitHub Security Advisory and the GitHub Issue Discussion.
Workarounds
- Apply the patch manually from the GitHub Commit if immediate upgrade is not possible
- Implement timeout wrappers around pypdf file reading operations to prevent indefinite hangs
- Restrict PDF uploads and processing to trusted sources only
- Use process isolation or containerization to limit the blast radius of DoS conditions
# Configuration example - Upgrade pypdf to patched version
pip install "pypdf>=6.7.2"
# Verify installed version
pip show pypdf | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
