Skip to content

Manipulated FlateDecode predictor parameters can exhaust RAM

Moderate
stefan6419846 published GHSA-7gw9-cf7v-778f Apr 15, 2026

Package

pypdf (PyPI)

Affected versions

< 6.10.2

Patched versions

>= 6.10.2

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3734.

Severity

Moderate

CVE ID

CVE-2026-41312

Weaknesses

Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. Learn more on MITRE.

Credits