CVE-2026-28351: Uncontrolled Resource Consumption in pypdf RunLengthDecode
Vulnerability ID: CVE-2026-28351
CVSS Score: 6.9
Published: 2026-02-28
A resource exhaustion vulnerability exists in the pypdf library versions prior to 6.7.4, specifically within the RunLengthDecode filter implementation. The flaw allows attackers to trigger an infinite loop or excessive memory allocation via crafted PDF streams, leading to Denial of Service (DoS) through Out-Of-Memory (OOM) conditions. This issue affects automated PDF processing pipelines where untrusted files are parsed without strict resource limits.
TL;DR
pypdf versions before 6.7.4 contain a vulnerability in the RunLengthDecode filter that allows for unbounded memory allocation. By crafting a PDF with a malformed RLE stream, an attacker can crash the host application via OOM. The fix in version 6.7.4 introduces strict output size limits.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400
- CVSS v4.0: 6.9
- Attack Vector: Network
- Impact: Denial of Service (DoS)
- Exploit Status: PoC Available
- Fix Version: 6.7.4
Affected Systems
- pypdf < 6.7.4
-
pypdf: < 6.7.4 (Fixed in:
6.7.4)
Code Analysis
Commit: e81881b
PR #3664: Add max output length check to RunLengthDecode
RUN_LENGTH_MAX_OUTPUT_LENGTH = 75_000_000
+ if total_length > RUN_LENGTH_MAX_OUTPUT_LENGTH:
+ raise LimitReachedError("Limit reached while decompressing.")
Exploit Details
- GitHub Security Advisory: Advisory containing PoC logic for RLE expansion.
Mitigation Strategies
- Upgrade pypdf to version 6.7.4 or later.
- Implement memory limits on worker processes handling PDF parsing.
- Validate PDF file structure before full processing.
Remediation Steps:
- Run
pip install pypdf>=6.7.4to apply the patch. - Restart application services to load the new library version.
References
Read the full report for CVE-2026-28351 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)