{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28351", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T18:38:13.890Z", "datePublished": "2026-02-27T20:59:16.839Z", "dateUpdated": "2026-03-03T20:28:45.592Z"}, "containers": {"cna": {"title": "Manipulated RunLengthDecode streams can exhaust RAM", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg"}, {"name": "https://github.com/py-pdf/pypdf/pull/3664", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3664"}, {"name": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.7.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:59:16.839Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664."}], "source": {"advisory": "GHSA-f2v5-7jq9-h8cg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:28:37.910844Z", "id": "CVE-2026-28351", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:28:45.592Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:28:37.910844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:28:41.738Z"}}], "cna": {"title": "Manipulated RunLengthDecode streams can exhaust RAM", "source": {"advisory": "GHSA-f2v5-7jq9-h8cg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"status": "affected", "version": "< 6.7.4"}]}], "references": [{"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg", "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/py-pdf/pypdf/pull/3664", "name": "https://github.com/py-pdf/pypdf/pull/3664", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858", "name": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4", "name": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:59:16.839Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28351", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:28:45.592Z", "dateReserved": "2026-02-26T18:38:13.890Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T20:59:16.839Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "714937CD-E428-4BAC-948C-798559322278", "versionEndExcluding": "6.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664."}], "id": "CVE-2026-28351", "lastModified": "2026-03-03T18:36:06.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T21:16:19.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/py-pdf/pypdf/pull/3664"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pypdf: pypdf: Denial of Service via crafted PDF with RunLengthDecode filter", "id": "2443450", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443450"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.", "A flaw was found in pypdf, a free and open-source pure-python PDF library. An attacker can exploit this vulnerability by crafting a malicious PDF file that, when parsed, leads to excessive memory consumption. This occurs specifically when processing the content stream using the RunLengthDecode filter. Successful exploitation can result in a Denial of Service (DoS) condition due to large memory usage."], "name": "CVE-2026-28351", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-ocp-rag-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Not affected", "package_name": "rhai/docling-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Not affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-02-27T20:59:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28351\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28351\nhttps://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858\nhttps://github.com/py-pdf/pypdf/pull/3664\nhttps://github.com/py-pdf/pypdf/releases/tag/6.7.4\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.7.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pypdf", "source": "cna", "vendor": "py-pdf"}, "product": "pypdf", "vendor": "py-pdf"}], "analysis": {"en": {"generated_at": "2026-04-16T15:15:56.145882+00:00", "value": {"mitigation_remediation": ["Upgrade the pypdf library to version 6.7.4 or later", "If an immediate upgrade is not feasible, merge the changes from PR #3664 to mitigate the issue", "Implement input validation or sandboxing to restrict the size and depth of RunLengthDecode streams during PDF parsing"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The py\u2011pdf project\u2019s pypdf library, versions earlier than 6.7.4, is vulnerable. Any environment that imports pypdf to parse PDF files\u2014such as document viewers, web services that render PDFs, or batch processing scripts\u2014may be affected.", "description_and_impact": "pypdf, a pure\u2011Python PDF library, contains a flaw that allows an attacker to craft a PDF using the RunLengthDecode filter to trigger disproportionate memory consumption. The vulnerability is associated with CWE\u2011400 and CWE\u2011770 and causes a denial\u2011of\u2011service condition when the library parses malicious PDF content, potentially exhausting the process\u2019s RAM and leading to application crashes. The impact is confined to the memory resources of the affected process and does not directly compromise data confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a medium severity, and the EPSS score of < 1% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must supply a specially crafted PDF to an application using the vulnerable library; therefore the inferred attack vector is local or remote through an application that accepts untrusted PDF input. Successful exploitation results in resource exhaustion, degrading availability, but does not provide code execution or data exfiltration."}}}}, "created": "2026-03-02T12:04:53.948262+00:00", "updated": "2026-04-16T15:30:06.210535+00:00", "vendors": ["py-pdf", "py-pdf$PRODUCT$pypdf"]}