DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24688: Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688)

#security #cve #cybersecurity

Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688)

Vulnerability ID: CVE-2026-24688
CVSS Score: 7.5
Published: 2026-01-26

A Denial of Service (DoS) vulnerability in the popular pypdf library allows attackers to trigger an infinite loop by crafting a PDF with cyclic outline references. This results in 100% CPU utilization and application hangs.

TL;DR

The pypdf library (< 6.6.2) fails to detect cycles when parsing PDF outlines (bookmarks). An attacker can craft a malicious PDF where bookmark A points to bookmark B, and bookmark B points back to A, causing the parser to enter an infinite loop. This effectively hangs the application, consuming all available CPU resources.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: CVE-2026-24688
  • CWE ID: CWE-835
  • Type: Infinite Loop / DoS
  • CVSS: 7.5 (High)
  • Attack Vector: Network (File Upload)
  • Patch Date: 2026-01-26

Affected Systems

  • pypdf < 6.6.2
  • Applications using pypdf for outline/bookmark extraction
  • PDF processing pipelines
  • Web applications accepting PDF uploads
  • pypdf: < 6.6.2 (Fixed in: 6.6.2)

Code Analysis

Commit: b1282f8

SEC: Detect cyclic references when retrieving outlines

@@ -123,6 +123,7 @@ def _get_outline(
         self,
         node: Optional[DictionaryObject] = None,
         outline: Optional[Any] = None,
+        visited: Optional[set[int]] = None,
     ) -> OutlineType:
         if outline is None:
             outline = []
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of Concept PDF file with circular outline references provided in the issue tracker.

Mitigation Strategies

  • Update pypdf to version 6.6.2 immediately.
  • Implement strict timeouts for all PDF processing tasks.
  • Run PDF processing in isolated sandboxes or containers with resource limits.
  • Monitor application metrics for unexpected CPU spikes.

Remediation Steps:

  1. Check your current version: pip show pypdf
  2. Upgrade: pip install pypdf>=6.6.2
  3. Verify the fix by running the PoC script against the updated library.
  4. Re-deploy the application services.

References

Read the full report for CVE-2026-24688 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)