Moderate severityNVD Advisory· Published Feb 27, 2026· Updated Mar 3, 2026
Manipulated RunLengthDecode streams can exhaust RAM
CVE-2026-28351
Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pypdfPyPI | < 6.7.4 | 6.7.4 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/litellmpkg:apk/chainguard/nemopkg:apk/chainguard/open-webuipkg:apk/wolfi/open-webuipkg:pypi/pypdfpkg:rpm/opensuse/python-pypdf&distro=openSUSE%20Tumbleweed
< 1.81.14-r0+ 5 more
- (no CPE)range: < 1.81.14-r0
- (no CPE)range: < 2.7.0-r1
- (no CPE)range: < 0.8.6-r0
- (no CPE)range: < 0.8.6-r0
- (no CPE)range: < 6.7.4
- (no CPE)range: < 6.7.5-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f2v5-7jq9-h8cgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28351ghsaADVISORY
- github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/pull/3664ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/releases/tag/6.7.4ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.