VYPR
Vypr IntelligenceAI-generatedJul 9, 2026· 3 CVEs

PyPDF: Three DoS Vulnerabilities Patched Together in Version 6.14.0

PyPDF library patched against three denial-of-service vulnerabilities triggered by specially crafted PDF files, fixed in version 6.14.0.

Key findings

  • Three denial-of-service vulnerabilities in PyPDF disclosed together on July 9, 2026.
  • Vulnerabilities stem from crafted PDFs exploiting image parsing and cross-reference stream handling.
  • CVE-2026-59938: Excessive memory usage due to oversized declared image sizes.
  • CVE-2026-59937: Long runtimes caused by malformed cross-reference streams.
  • CVE-2026-59936: Denial of service via crafted PDF inline images.
  • All issues fixed in PyPDF version 6.14.0.

On July 9, 2026, a batch of three vulnerabilities affecting the PyPDF library was disclosed, all of which were fixed in version 6.14.0. These vulnerabilities, identified as CVE-2026-59938, CVE-2026-59937, and CVE-2026-59936, primarily relate to denial-of-service (DoS) conditions that can be triggered by specially crafted PDF files. The disclosures highlight potential risks for applications relying on PyPDF for PDF manipulation.

Two of the vulnerabilities, CVE-2026-59938 and CVE-2026-59937, stem from an attacker's ability to craft malicious PDFs that exploit how PyPDF parses image data and cross-reference streams. In the case of CVE-2026-59938, an attacker can declare image size values that are significantly larger than the actual image data. This discrepancy forces PyPDF to allocate excessive memory during image parsing, leading to a denial-of-service. CVE-2026-59937 addresses a similar DoS issue where malformed cross-reference streams in a PDF can cause the library to consume excessive runtime attempting to recover corrupted data. Both of these issues were present in versions prior to 6.14.0.

The third vulnerability, CVE-2026-59936, also presents a denial-of-service risk, specifically through the use of crafted PDF inline images. While the description is less detailed than the other two, it indicates that specially designed inline images within a PDF document can lead to the application becoming unresponsive. This vulnerability was also addressed in the recent patch.

All three vulnerabilities were patched and resolved in version 6.14.0 of the PyPDF library. Users are strongly advised to update to this version or later to mitigate the risks associated with these denial-of-service vulnerabilities. The close timing of these disclosures suggests a coordinated effort to address these specific flaws in the library's PDF parsing mechanisms.

The disclosure of these vulnerabilities underscores the importance of robust input validation and resource management in libraries that process complex file formats like PDFs. Developers using PyPDF should ensure they are on the latest version to benefit from the security fixes. Future attention should be paid to how PDF parsing libraries handle malformed or resource-intensive documents to prevent similar DoS attacks.

AI-written article. Grounded in 3 CVE records listed below.