CVE-2026-28351 Overview
CVE-2026-28351 is a resource exhaustion vulnerability in pypdf, a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker can craft a malicious PDF document that leads to excessive memory consumption when the content stream is parsed using the RunLengthDecode filter. This vulnerability can be exploited to cause denial of service conditions in applications that process untrusted PDF files using the affected pypdf versions.
Critical Impact
Applications processing untrusted PDF files with pypdf versions prior to 6.7.4 are vulnerable to memory exhaustion attacks that could crash the application or degrade system performance.
Affected Products
- pypdf versions prior to 6.7.4
- Applications using pypdf for PDF parsing with RunLengthDecode filter processing
Discovery Timeline
- 2026-02-27 - CVE-2026-28351 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28351
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The pypdf library lacked proper output length limits when decoding content streams compressed with the RunLengthDecode filter. An attacker could craft a specially constructed PDF file containing malicious RunLengthDecode-encoded data that, when decoded, expands to consume excessive amounts of memory.
The vulnerability is exploitable over the network since malicious PDF files can be delivered via email, web downloads, or any application that accepts PDF uploads and processes them with pypdf. No user interaction beyond opening or processing the malicious PDF is required, and no authentication or special privileges are needed to trigger the vulnerability.
Root Cause
The root cause of this vulnerability was the absence of maximum output length constraints for the RunLengthDecode filter in pypdf's filter processing code. While other filters such as JBIG2Decode, LZWDecode, and Zlib had output length limits in place, the RunLengthDecode filter did not have similar protections, allowing unbounded memory allocation during decompression operations.
Attack Vector
An attacker can exploit this vulnerability by:
- Crafting a malicious PDF file with a content stream that uses the RunLengthDecode filter
- Embedding specially constructed encoded data that results in massive memory allocation when decoded
- Delivering the malicious PDF to a target system that processes it using a vulnerable pypdf version
- The victim application's memory consumption grows uncontrollably, potentially leading to denial of service
The following patch was applied to fix this vulnerability by adding a maximum output length constant for the RunLengthDecode filter:
JBIG2_MAX_OUTPUT_LENGTH = 75_000_000
LZW_MAX_OUTPUT_LENGTH = 75_000_000
RUN_LENGTH_MAX_OUTPUT_LENGTH = 75_000_000
ZLIB_MAX_OUTPUT_LENGTH = 75_000_000
ZLIB_MAX_RECOVERY_INPUT_LENGTH = 5_000_000
Source: GitHub Commit f309c60
Detection Methods for CVE-2026-28351
Indicators of Compromise
- Unusual memory consumption spikes in applications that process PDF files
- Application crashes or out-of-memory errors when handling PDF documents
- PDF files containing abnormally large RunLengthDecode-encoded content streams
- System slowdowns or unresponsiveness during PDF processing operations
Detection Strategies
- Monitor memory usage patterns for applications using pypdf to detect abnormal allocation behavior
- Implement file integrity checks and scanning for PDF files with suspicious RunLengthDecode filter content
- Review application logs for memory-related exceptions or errors during PDF parsing
- Use dependency scanning tools to identify vulnerable pypdf versions in your codebase
Monitoring Recommendations
- Configure memory usage alerts for services that process untrusted PDF files
- Implement resource limits (memory cgroups, container limits) for PDF processing workloads
- Monitor for recurring crashes in PDF processing components
- Track pypdf dependency versions across your software inventory
How to Mitigate CVE-2026-28351
Immediate Actions Required
- Upgrade pypdf to version 6.7.4 or later immediately
- Audit applications that process untrusted PDF files using pypdf
- Consider implementing memory limits for PDF processing operations as defense in depth
- Review any queued or stored PDF files for potential exploitation attempts
Patch Information
The vulnerability has been fixed in pypdf version 6.7.4. The fix introduces a RUN_LENGTH_MAX_OUTPUT_LENGTH constant set to 75,000,000 bytes, limiting the maximum output size during RunLengthDecode filter processing. This aligns with the existing protections for other filter types in the library.
For detailed patch information, see the GitHub Security Advisory and the GitHub Release 6.7.4.
Workarounds
- Apply the changes from PR #3664 if upgrading is not immediately possible
- Implement application-level memory limits to contain potential exploitation
- Add input validation to reject PDF files exceeding reasonable size thresholds before processing
- Consider sandboxing PDF processing operations to limit resource consumption impact
# Upgrade pypdf to the patched version
pip install --upgrade pypdf>=6.7.4
# Verify installed version
pip show pypdf | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
