{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33123", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.926Z", "datePublished": "2026-03-20T09:09:12.831Z", "dateUpdated": "2026-03-20T09:09:12.831Z"}, "containers": {"cna": {"title": "pypdf has inefficient decoding of array-based streams", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp"}, {"name": "https://github.com/py-pdf/pypdf/pull/3686", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3686"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.9.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.1"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:09:12.831Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1."}], "source": {"advisory": "GHSA-qpxp-75px-xjcp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1."}], "id": "CVE-2026-33123", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T10:16:18.717", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/pull/3686"}, {"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T11:22:17.288639+00:00", "value": {"mitigation_remediation": ["Update pypdf to version 6.9.1 or later to eliminate the inefficient stream decoding."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (resource exhaustion)"}, "threat_synthesis": {"affected_systems": "All releases of py\u2011pdf:pypdf before version 6.9.1 are affected. The fix is incorporated in the 6.9.1 release and later versions.", "description_and_impact": "pypdf is a pure\u2011python PDF library that processes streams within PDF files. A vulnerability exists in versions prior to 6.9.1 where the library inefficiently decodes array\u2011based streams. When a PDF contains a stream with an extremely large number of array entries, the parsing algorithm consumes unusually high amounts of memory and CPU time, potentially causing the process that loaded the PDF to become unresponsive or to crash. This uncontrolled consumption falls under CWE\u2011400 and CWE\u2011407.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity; exploitation needs only a malicious PDF to be processed by the vulnerable library. There is no potential for code execution, but an attacker can trigger a denial\u2011of\u2011service by sending a specially crafted file. EPSS data is not provided and the vulnerability is not listed in the CISA KEV catalog. The risk is moderate and can be mitigated by applying the available patch. The likely attack vector is through any application that loads untrusted PDFs."}}}}, "created": "2026-03-20T14:13:53.696022+00:00", "updated": "2026-03-20T14:13:53.696055+00:00", "vendors": []}