{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.746Z", "datePublished": "2026-03-26T23:58:42.776Z", "dateUpdated": "2026-03-27T19:59:39.751Z"}, "containers": {"cna": {"title": "pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3"}, {"name": "https://github.com/py-pdf/pypdf/pull/3693", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3693"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:58:42.776Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}], "source": {"advisory": "GHSA-87mj-5ggw-8qc3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:27:07.800115Z", "id": "CVE-2026-33699", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:59:39.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33699", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:27:07.800115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:27:17.131Z"}}], "cna": {"title": "pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream", "source": {"advisory": "GHSA-87mj-5ggw-8qc3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"status": "affected", "version": "< 6.9.2"}]}], "references": [{"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/py-pdf/pypdf/pull/3693", "name": "https://github.com/py-pdf/pypdf/pull/3693", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "name": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:58:42.776Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33699", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:59:39.751Z", "dateReserved": "2026-03-23T17:06:05.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T23:58:42.776Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "122BA466-C678-4E2D-9378-30AD9C0474E0", "versionEndExcluding": "6.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}, {"lang": "es", "value": "pypdf es una biblioteca PDF escrita puramente en Python, gratuita y de c\u00f3digo abierto. Las versiones anteriores a la 6.9.2 tienen una vulnerabilidad en la que un atacante puede crear un PDF que conduce a un bucle infinito. Esto requiere leer un archivo en modo no estricto. Esto ha sido corregido en pypdf 6.9.2. Si los usuarios a\u00fan no pueden actualizar, consideren aplicar los cambios del parche manualmente."}], "id": "CVE-2026-33699", "lastModified": "2026-04-01T16:01:35.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:19.147", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/py-pdf/pypdf/pull/3693"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pypdf: pypdf: Denial of Service via crafted PDF in non-strict mode", "id": "2452062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452062"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["A flaw was found in pypdf. An attacker can craft a malicious PDF file that, when processed by pypdf in non-strict mode, triggers an infinite loop. This vulnerability can lead to a Denial of Service (DoS) by consuming excessive system resources, making the application unresponsive."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted PDF files with pypdf, particularly when operating in non-strict mode. Ensuring that applications using pypdf are configured to operate in strict mode, if supported, can prevent exploitation."}, "name": "CVE-2026-33699", "package_state": [{"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Affected", "package_name": "lightspeed-core/rag-tool-rhel9", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/lightspeed-ocp-rag-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-26T23:58:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33699\nhttps://github.com/py-pdf/pypdf/pull/3693\nhttps://github.com/py-pdf/pypdf/releases/tag/6.9.2\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pypdf", "source": "cna", "vendor": "py-pdf"}, "product": "pypdf", "vendor": "py-pdf"}], "analysis": {"en": {"generated_at": "2026-04-02T05:17:47.491257+00:00", "value": {"mitigation_remediation": ["Upgrade to pypdf\u202f6.9.2 or later.", "If an upgrade is not immediately possible, apply the changes from the official patch (GHSA\u201187mj\u20115ggw\u20118qc3) to the affected module in your codebase.", "Enable strict PDF parsing (strict=True) in pypdf calls to prevent the recovery loop from executing.", "Restrict or sanitize external PDF inputs before they reach the pypdf processing routine."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Infinite Loop"}, "threat_synthesis": {"affected_systems": "The flaw affects all pypdf versions older than\u202f6.9.2 on any operating system, because the library is pure Python and widely used in scripts and applications that process PDF files. Any Python program that imports pypdf and opens PDFs with non\u2011strict parsing is vulnerable.", "description_and_impact": "An attacker can craft a PDF that causes\u202fpypdf, when used in non\u2011strict mode, to enter an endless loop during recovery attempts in the DictionaryObject.read_from_stream function. The loop consumes CPU time and memory without making progress, effectively locking the host application. This results in a denial of service rather than code execution or data exfiltration. The weakness stems from improper condition checks (CWE\u2011606) and uncontrolled loop increments (CWE\u2011835).", "risk_and_exploitability": "The CVSS v3.1 score of 4.6 indicates moderate severity, while the EPSS score of less than\u202f1\u202f% and absence from the CISA KEV catalog suggest a low probability of exploitation in the wild. The attack vector would require the delivery of a malicious PDF to the target application, typically via local user input or an uploaded file. Using strict parsing, if available, mitigates the risk."}}}}, "created": "2026-03-27T08:31:18.349095+00:00", "updated": "2026-04-02T07:56:00.560832+00:00", "vendors": ["py-pdf", "py-pdf$PRODUCT$pypdf"]}