CVE-2026-48156 - Vulnerability Details

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/py-pdf/pypdf/pull/3791
https://github.com/py-pdf/pypdf/releases/tag/6.12.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6

History

Thu, 28 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
Title		pypdf: Possible long runtimes for zero-only width values in cross-reference streams
Weaknesses		CWE-834
References		https://github.com/py-pdf/pypdf/pull/3791 https://github.com/py-pdf/pypdf/releases/tag/6.12.0 https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T14:50:41.829Z

Updated: 2026-05-28T14:50:41.829Z

Reserved: 2026-05-20T23:12:43.031Z

Link: CVE-2026-48156

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T16:16:29.020

Modified: 2026-05-28T16:16:29.020

Link: CVE-2026-48156

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object