pypdf: Possible long runtimes for wrong size values in incremental mode
Description
Published to the GitHub Advisory Database
Apr 16, 2026
Reviewed
Apr 16, 2026
Published by the National Vulnerability Database
Apr 22, 2026
Last updated
May 5, 2026
Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer
/Sizevalue in incremental mode.Patches
This has been fixed in pypdf==6.10.2.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3735.
References