pypdf, Allocation of Resources Without Limits or Throttling, CVE-2026-48735 (Moderate) -DC-Jun2026-463

Listen to this Post

How CVE-2026-48735 Works

pypdf is a free and open-source pure-Python PDF library. Prior to version 6.12.1, the library is vulnerable to a denial-of-service (DoS) condition caused by excessive memory consumption during the parsing of XMP (Extensible Metadata Platform) metadata streams.
XMP metadata is embedded within PDF files to provide rich information about the document’s content, structure, and properties. When pypdf processes a PDF, it parses this XMP metadata to extract relevant information. The vulnerability stems from the library’s failure to properly limit memory allocation when parsing XMP metadata streams. An attacker can exploit this by crafting a malicious PDF containing a large and complex XMP metadata stream. This crafted metadata may contain unnecessary elements, deeply nested structures, or oversized entity declarations that cause the parser to allocate excessive amounts of RAM during processing.
The issue aligns with CWE-770: Allocation of Resources Without Limits or Throttling. When a vulnerable application using pypdf attempts to parse such a malicious PDF, the parser consumes ever-increasing memory until system resources are exhausted. This can lead to application crashes, system slowdowns, or complete system unavailability. The attack vector is particularly concerning because XMP metadata is commonly embedded in PDF files and is automatically processed by PDF readers and processing applications. The exploitation requires only that the target application parses the XMP metadata, which is a standard operation for most PDF processing libraries, making the attack surface quite broad. This vulnerability is fixed in pypdf version 6.12.1.

DailyCVE Form

Platform: pypdf (py-pdf)
Version: < 6.12.1
Vulnerability: CWE-770 Resource Exhaustion
Severity: Moderate (CVSS 6.9)
Date: 2026-05-28

Prediction: 2026-06-16 (Patched)

What Undercode Say: Analytics

Check currently installed pypdf version
pip show pypdf | grep Version
Check pypdf version in requirements.txt
grep pypdf requirements.txt
Check all installed packages for vulnerable pypdf
pip list --outdated | grep pypdf

Vulnerable Code Pattern (Pre-6.12.1):

The XMP metadata parser in vulnerable versions lacks memory limits
from pypdf import PdfReader
A malicious PDF with large XMP metadata triggers excessive RAM allocation
reader = PdfReader("malicious.pdf") RAM exhaustion occurs here

Detection (Post-Exploitation):

Monitor memory usage spike during PDF processing
watch -n 1 'ps aux --sort=-%mem | head -10'
Check for OOM killer events
dmesg | grep -i "out of memory"
Monitor system memory
free -h && vmstat 1 5

Exploit

An attacker can exploit this vulnerability by crafting a PDF file containing a malicious XMP metadata stream with excessive XML entity declarations, deeply nested structures, or an oversized payload. When a vulnerable application using pypdf (versions prior to 6.12.1) parses this PDF, the XMP metadata parser allocates memory without limits, leading to exponential RAM consumption. This can be delivered via email attachments, web downloads, or any vector that allows the target to process untrusted PDF files. The attack requires no user interaction beyond opening or processing the PDF, and can cause denial of service in both individual applications and enterprise document processing pipelines.

Protection

  1. Upgrade to pypdf version 6.12.1 or later – This is the primary and most effective mitigation.
  2. Apply the patch from PR 3796 – If an immediate upgrade is not possible, apply the changes from GitHub pull request 3796.
  3. Implement input validation – Limit the size of XMP metadata processing at the application level.
  4. Deploy sandboxing – Process untrusted PDFs in isolated environments with memory limits.
  5. Monitor memory consumption – Establish alerts for unusual memory usage patterns during PDF processing.

Impact

  • Denial of Service (DoS) – Excessive memory consumption leads to application crashes, system slowdowns, or complete system resource exhaustion.
  • Availability Impact – CVSS:v4.0/VA:H indicates High availability impact.
  • Attack Complexity – Low (CVSS:4.0/AC:L).
  • Privileges Required – None (CVSS:4.0/PR:N).
  • User Interaction – None required (CVSS:4.0/UI:N).
  • Widespread Exposure – Affects all applications using pypdf versions prior to 6.12.1 that process untrusted PDF files.
  • Enterprise Risk – Can cause cascading failures in automated document processing pipelines.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top