{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27024", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.490Z", "datePublished": "2026-02-20T21:10:07.864Z", "dateUpdated": "2026-02-24T18:34:30.680Z"}, "containers": {"cna": {"title": "pypdf has a possible infinite loop when processing TreeObject", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq"}, {"name": "https://github.com/py-pdf/pypdf/pull/3645", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3645"}, {"name": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.7.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T21:10:07.864Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1."}], "source": {"advisory": "GHSA-996q-pr4m-cvgq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:34:14.751487Z", "id": "CVE-2026-27024", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:34:30.680Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27024", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:34:14.751487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:34:22.895Z"}}], "cna": {"title": "pypdf has a possible infinite loop when processing TreeObject", "source": {"advisory": "GHSA-996q-pr4m-cvgq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"status": "affected", "version": "< 6.7.1"}]}], "references": [{"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq", "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/py-pdf/pypdf/pull/3645", "name": "https://github.com/py-pdf/pypdf/pull/3645", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295", "name": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1", "name": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-20T21:10:07.864Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27024", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:34:30.680Z", "dateReserved": "2026-02-17T03:08:23.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-20T21:10:07.864Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCEF058D-900A-439F-9975-628E08A1989A", "versionEndExcluding": "6.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1."}], "id": "CVE-2026-27024", "lastModified": "2026-02-24T15:19:23.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T22:16:28.687", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/py-pdf/pypdf/pull/3645"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pypdf: pypdf: Denial of Service via crafted PDF with TreeObject outlines", "id": "2441490", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441490"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27024", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-ocp-rag-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-20T21:10:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27024\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27024\nhttps://github.com/py-pdf/pypdf/commit/bd2f6d052fe5941e85e37082c2a43453d48d1295\nhttps://github.com/py-pdf/pypdf/pull/3645\nhttps://github.com/py-pdf/pypdf/releases/tag/6.7.1\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.7.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pypdf", "source": "cna", "vendor": "py-pdf"}, "product": "pypdf", "vendor": "py-pdf"}], "analysis": {"en": {"generated_at": "2026-04-17T17:09:58.672029+00:00", "value": {"mitigation_remediation": ["Upgrade the pypdf library to version 6.7.1 or newer, which contains the loop\u2011fix.", "Validate or sanitize PDF input before feeding it to pypdf, rejecting files that contain malformed or excessively nested TreeObjects.", "Run PDF parsing in a restricted or sandboxed process with CPU and memory limits to prevent a single malicious file from exhausting host resources."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the pypdf Python library for all versions prior to 6.7.1, released by the py-pdf project. Any system or application that imports pypdf and parses untrusted PDF files is potentially affected.", "description_and_impact": "An infinite loop occurs when the pypdf library processes the children of a TreeObject, typically used for outlines in a PDF. The loop consumes CPU resources and can cause the parsing application to hang or crash, resulting in a denial of service. This weakness is classified as a logical flaw that can lead to application unavailability, potentially affecting services that rely on PDF processing.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate impact. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the issue is not listed as a known exploited vulnerability. An attacker would need to supply a crafted PDF that contains a malicious TreeObject to a vulnerable application; the attack vector is inferred to be via file upload or remote processing of untrusted PDFs. Exploitation relies on the ability to load the PDF within an environment where resource limits are not tightly controlled, and the loop can be triggered without additional credentials."}}}}, "created": "2026-02-23T14:35:06.550079+00:00", "updated": "2026-04-17T17:15:23.722785+00:00", "vendors": ["py-pdf", "py-pdf$PRODUCT$pypdf"]}