CVE-2026-41313 Overview
CVE-2026-41313 is a Denial of Service vulnerability in pypdf, a free and open-source pure-python PDF library. An attacker can craft a malicious PDF document with a large trailer /Size value that, when processed in incremental mode, leads to excessive runtime consumption and potential resource exhaustion.
Critical Impact
Applications using vulnerable versions of pypdf may experience significant performance degradation or denial of service when processing maliciously crafted PDF files with oversized trailer size values.
Affected Products
- pypdf versions prior to 6.10.2
- Applications utilizing pypdf for PDF parsing in incremental mode
- Python environments with vulnerable pypdf installations
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-41313 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41313
Vulnerability Analysis
This vulnerability falls under CWE-834 (Excessive Iteration), which describes a flaw where a loop executes more iterations than intended due to insufficient control over loop boundaries. In the context of pypdf, the library relies on the /Size value from a PDF's trailer dictionary during incremental cloning operations. When an attacker provides a PDF with an artificially inflated /Size value, the library attempts to process or allocate resources based on this untrusted input, resulting in excessive CPU consumption and extended processing times.
The vulnerability requires local access to the system where a user must open or process a maliciously crafted PDF file. While this does not lead to data compromise or modification, the availability impact can disrupt services that rely on pypdf for PDF processing workflows.
Root Cause
The root cause of this vulnerability lies in the library's trust of the /Size parameter within PDF trailer dictionaries during incremental parsing. The /Size value in a PDF trailer indicates the number of entries in the cross-reference table, but when parsing PDFs incrementally, pypdf did not validate this value against actual document structure, allowing an attacker to specify an arbitrarily large size that triggers excessive iterations.
Attack Vector
The attack requires local access and user interaction—a victim must open or process a malicious PDF file using an application that leverages pypdf in incremental mode. An attacker can deliver the crafted PDF through various means such as email attachments, file uploads to web applications, or file sharing services. When the vulnerable application processes the PDF, the excessive /Size value causes the parsing loop to execute far more iterations than necessary, consuming CPU resources and potentially hanging the application.
# Security patch excerpt from pypdf/_writer.py
# SEC: Do not rely on possibly invalid /Size for incremental cloning (#3735)
from .constants import FieldDictionaryAttributes as FA
from .constants import PageAttributes as PG
from .constants import TrailerKeys as TK
-from .errors import PdfReadError, PyPdfError
+from .errors import LimitReachedError, PdfReadError, PyPdfError
from .generic import (
PAGE_FIT,
ArrayObject,
Source: GitHub Commit Details
Detection Methods for CVE-2026-41313
Indicators of Compromise
- PDF files with unusually large /Size values in trailer dictionaries (values significantly exceeding the actual object count)
- Application processes consuming excessive CPU time when parsing specific PDF files
- pypdf-based applications experiencing unexpected hangs or timeouts during PDF processing
Detection Strategies
- Monitor for abnormal CPU consumption in processes using pypdf for PDF parsing operations
- Implement file analysis to detect PDFs with disproportionately large trailer /Size values relative to file size
- Review application logs for timeout errors or resource exhaustion events during PDF processing
- Use dependency scanning tools to identify pypdf installations running versions prior to 6.10.2
Monitoring Recommendations
- Set up resource consumption alerts for services that process user-supplied PDF documents
- Implement timeout controls on PDF parsing operations to prevent indefinite hangs
- Monitor package management systems for outdated pypdf dependencies
- Track processing time metrics for PDF operations to identify anomalous patterns
How to Mitigate CVE-2026-41313
Immediate Actions Required
- Upgrade pypdf to version 6.10.2 or later immediately
- Audit applications to identify all instances where pypdf is used for PDF processing
- Implement input validation and timeout controls for PDF parsing operations
- Review and update dependency management configurations to ensure automatic security updates
Patch Information
The vulnerability has been fixed in pypdf version 6.10.2. The patch introduces the LimitReachedError exception handling and modifies the incremental cloning logic to avoid relying on potentially invalid /Size values from PDF trailers. The fix is available through the GitHub Release v6.10.2. Additional details can be found in the GitHub Security Advisory GHSA-4pxv-j86v-mhcw and the GitHub Pull Request #3735.
Workarounds
- Apply the changes from the security patch manually if upgrading is not immediately possible
- Implement timeout mechanisms for PDF processing operations to limit exposure
- Restrict PDF uploads or processing to trusted sources where feasible
- Add pre-processing validation to reject PDFs with suspicious trailer values
# Upgrade pypdf to the patched version
pip install --upgrade pypdf>=6.10.2
# Verify the installed version
pip show pypdf | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
