CVE-2026-28804 Overview
CVE-2026-28804 is an algorithmic complexity vulnerability in pypdf, a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker can craft a malicious PDF document that leads to excessive runtime when processing streams using the /ASCIIHexDecode filter. This denial of service condition occurs due to inefficient algorithmic handling in the filter's decoding logic, allowing resource exhaustion attacks against applications that process untrusted PDF files.
Critical Impact
Applications using vulnerable pypdf versions to process untrusted PDF documents are susceptible to denial of service attacks through crafted PDFs with malicious ASCIIHexDecode streams, potentially causing service unavailability.
Affected Products
- pypdf_project pypdf versions prior to 6.7.5
Discovery Timeline
- 2026-03-06 - CVE-2026-28804 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28804
Vulnerability Analysis
This vulnerability falls under CWE-407 (Inefficient Algorithmic Complexity). The pypdf library's /ASCIIHexDecode filter implementation contained inefficient processing logic that could be exploited to cause excessive CPU consumption. When parsing a specially crafted PDF stream utilizing this filter, the decoding routine would exhibit poor algorithmic performance, resulting in prolonged execution times that could render the application unresponsive.
The ASCIIHexDecode filter is used in PDF documents to encode binary data as hexadecimal characters. Malicious PDFs can be constructed to trigger worst-case algorithmic behavior in the vulnerable implementation, making this an effective vector for denial of service attacks against document processing systems, web applications accepting PDF uploads, and automated document workflows.
Root Cause
The root cause lies in the inefficient implementation of the ASCIIHexDecode filter within the pypdf/filters.py module. The original implementation did not leverage optimized binary conversion methods, leading to algorithmic complexity issues when processing large or maliciously structured hexadecimal streams. The fix introduces the binascii module for improved hexadecimal decoding performance.
Attack Vector
The attack is network-exploitable without authentication or user interaction. An attacker can submit a malicious PDF to any service using a vulnerable pypdf version. The attack payload consists of a PDF document containing a stream object with the /ASCIIHexDecode filter configured to trigger the inefficient processing path. When the application attempts to decode this stream, it enters an extended processing state, consuming CPU resources and potentially blocking other operations.
# Security patch in pypdf/filters.py
# Source: GitHub Commit 648c627d2657447dfb1773412af05a0a5103b98f
__author__ = "Mathieu Fenniak"
__author_email__ = "biziqe@mathieu.fenniak.net"
+import binascii
import math
import os
import shutil
Source: GitHub Commit for pypdf
The patch adds the binascii module import, which provides optimized C-level functions for hexadecimal encoding/decoding operations, replacing the slower pure-Python implementation.
Detection Methods for CVE-2026-28804
Indicators of Compromise
- Abnormally long PDF processing times or timeouts in application logs
- High CPU utilization spikes when processing specific PDF documents
- Application hang or unresponsiveness triggered by PDF file uploads
- Memory or resource exhaustion errors in pypdf-dependent services
Detection Strategies
- Monitor application performance metrics for anomalous processing durations when handling PDF files
- Implement request timeout mechanisms for PDF processing operations to detect potential exploitation attempts
- Scan Python dependencies using software composition analysis (SCA) tools to identify vulnerable pypdf versions
- Review application logs for repeated timeout or resource exhaustion events associated with PDF processing
Monitoring Recommendations
- Deploy application performance monitoring (APM) to track PDF processing duration baselines and alert on deviations
- Configure resource limits (CPU, memory, timeout) for processes handling PDF documents
- Implement rate limiting on PDF upload endpoints to mitigate mass exploitation attempts
- Use SentinelOne Singularity to monitor for process behavior anomalies associated with resource exhaustion attacks
How to Mitigate CVE-2026-28804
Immediate Actions Required
- Upgrade pypdf to version 6.7.5 or later immediately
- Audit applications and dependencies to identify all instances of vulnerable pypdf versions
- Implement input validation and timeout controls for PDF processing functionality
- Consider temporarily disabling PDF processing from untrusted sources until patching is complete
Patch Information
The vulnerability has been addressed in pypdf version 6.7.5. The fix improves the performance of the ASCIIHexDecode filter by utilizing Python's optimized binascii module for hexadecimal decoding operations. Organizations should update their pypdf dependency to the patched version.
For detailed patch information, refer to the GitHub Security Advisory GHSA-9m86-7pmv-2852 and GitHub Pull Request #3666.
Workarounds
- Implement strict timeout limits for PDF processing operations to prevent extended resource consumption
- Deploy input size restrictions on PDF uploads to reduce attack surface
- Run PDF processing in isolated sandboxed environments with resource constraints
- Consider pre-screening PDF files for suspicious stream configurations before processing
# Configuration example - Update pypdf using pip
pip install --upgrade pypdf>=6.7.5
# Verify installed version
pip show pypdf | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
