{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.746Z", "datePublished": "2026-03-26T23:58:42.776Z", "dateUpdated": "2026-03-26T23:58:42.776Z"}, "containers": {"cna": {"title": "pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3"}, {"name": "https://github.com/py-pdf/pypdf/pull/3693", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3693"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.9.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T23:58:42.776Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}], "source": {"advisory": "GHSA-87mj-5ggw-8qc3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}], "id": "CVE-2026-33699", "lastModified": "2026-03-27T01:16:19.147", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:19.147", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/pull/3693"}, {"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pypdf", "source": "cna", "vendor": "py-pdf"}, "product": "pypdf", "vendor": "py-pdf"}], "analysis": {"en": {"generated_at": "2026-03-27T06:26:11.179343+00:00", "value": {"mitigation_remediation": ["Upgrade the pypdf library to version 6.9.2 or later.", "If an upgrade is not possible, apply the changes from PR 3693 manually to your local copy.", "Process PDFs in strict mode when feasible to avoid the recovery path that triggers the loop.", "Monitor application resource usage and consider validating input file size to limit potential impact."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (infinite loop)"}, "threat_synthesis": {"affected_systems": "All installations of py-pdf:pypdf that run a version older than 6.9.2 and use non-strict mode are affected. Any application that imports pypdf to read or manipulate PDF files can be impacted. Upgrading to 6.9.2 or later mitigates the issue.", "description_and_impact": "The vulnerability resides in the pypdf library, a pure-Python PDF manipulation package. Versions earlier than 6.9.2 allow a malicious PDF to trigger an infinite loop while the library attempts to recover a dictionary object during stream parsing. The loop consumes CPU and memory until the process terminates, resulting in denial of service. The flaw corresponds to CWE-835: Infinite Loop.", "risk_and_exploitability": "The CVSS score of 4.6 denotes moderate severity, but the practical risk of exhausting system resources and causing application downtime is significant. No publicly disclosed exploits exist and the flaw is not listed in CISA\u2019s KEV catalog. The only prerequisite is delivering a crafted PDF to the library, making the attack vector simple and likely to be used against services that process untrusted PDFs. Although EPSS data is unavailable, the overall risk warrants immediate attention."}}}}, "created": "2026-03-27T08:31:18.349095+00:00", "updated": "2026-03-27T09:22:40.613972+00:00", "vendors": ["py-pdf", "py-pdf$PRODUCT$pypdf"]}