Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-27888

Опубликовано: 26 фев. 2026
Источник: redhat
CVSS3: 5.3

Описание

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

A flaw was found in pypdf. A remote attacker can exploit this vulnerability by crafting a malicious PDF document. When a user processes this specially crafted PDF, it can lead to excessive memory consumption, resulting in a Denial of Service (DoS) for the affected system. This issue specifically arises when the xfa property of a PDF reader or writer is accessed and its corresponding stream is compressed using /FlateDecode.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Lightspeedopenshift-lightspeed/lightspeed-ocp-rag-rhel9Affected
OpenShift Lightspeedopenshift-lightspeed/lightspeed-service-api-rhel9Affected
OpenShift Lightspeedopenshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9Affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/disk-image-cuda-rhel9Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-llama-stack-core-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1050
https://bugzilla.redhat.com/show_bug.cgi?id=2442899pypdf: pypdf: Denial of Service via crafted PDF

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-27888

CVSS3: 7.5
ubuntu
30 дней назад

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

nvd логотип

CVE-2026-27888

CVSS3: 7.5
nvd
30 дней назад

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

debian логотип

CVE-2026-27888

CVSS3: 7.5
debian
30 дней назад

pypdf is a free and open-source pure-python PDF library. Prior to 6.7. ...

github логотип

GHSA-x7hp-r3qg-r3cj

github
29 дней назад

pypdf: Manipulated FlateDecode XFA streams can exhaust RAM

fstec логотип

BDU:2026-02549

CVSS3: 7.5
fstec
около 1 месяца назад

Уязвимость библиотеки Python для работы с PDF файлами PyPDF, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

5.3 Medium

CVSS3