pypdf, Denial of Service (DoS), CVE-2026-41312 (Medium) -DC-Jun2026-461

Listen to this Post

How CVE-2026-41312 Works

The vulnerability resides in pypdf’s handling of FlateDecode‑encoded streams that use a PNG predictor (Predictor values 10–15). When such a stream is decoded, the `_decode_png_prediction` method computes the size of the output buffer based on user‑supplied parameters: Columns, Colors, and BitsPerComponent. Because these parameters are not capped, an attacker can craft a PDF with extraordinarily large values (e.g., `Columns` set to millions). The decoder then attempts to allocate memory proportional to `Columns Colors BitsPerComponent / 8` for each row, leading to excessive memory allocation and, in practice, long runtimes or complete memory exhaustion.
The inefficiency is algorithmic: the worst‑case computational complexity of the PNG prediction loop is triggered by the manipulated parameters, causing the decoder to process an enormous amount of data byte‑by‑byte. This denial‑of‑service (DoS) condition can be exploited remotely simply by enticing a victim to open a malicious PDF file. The issue affects all pypdf versions prior to the fix and is tracked under CVE‑2026‑41312.

DailyCVE Form:

Platform: ……. pypdf (Python)
Version: …….. < 6.10.2 (and < 6.12.2 for some variants)
Vulnerability :.. Uncontrolled memory allocation in FlateDecode PNG predictor
Severity: ……. Medium (CVSS 4.8)
date: ………. 2026‑04‑22
Prediction: ….. Patch expected by 2026‑06‑01 (already released in 6.10.2 / 6.12.2)

What Undercode Say: Analytics & Exploitation Insights

Attack Surface

  • The vulnerability is triggered when a PDF stream with `/Filter /FlateDecode` and `/Predictor` ≠ 1 is accessed.
  • No authentication or special privileges are required; the attack is remote and low‑complexity.

Bash / Code Snippets

To test for the vulnerability, one can create a minimal PDF with exaggerated predictor parameters (conceptual example):

Generate a malicious PDF using a Python one‑liner (illustrative)
python3 -c "
from pypdf import PdfReader, PdfWriter
from io import BytesIO
Craft a stream with /FlateDecode and Predictor=10, Columns=230
(This would trigger the excessive allocation in vulnerable versions)
"

Exploit

An attacker crafts a PDF containing a FlateDecode stream with a PNG predictor and sets Columns, Colors, or `BitsPerComponent` to extremely large integers. When the victim’s application processes the PDF (e.g., using PdfReader), the decoder attempts to allocate a buffer of size row_length number_of_rows, where `row_length` is derived from the manipulated parameters. This causes the process to consume all available RAM or enter an infinite loop, effectively halting the application.

Protection

  • Upgrade to pypdf ≥ 6.10.2 (or ≥ 6.12.2 if using the backported optimization).
  • If upgrading is not immediately possible, apply the changes from PR 3806 manually. This PR introduces hard caps on `Columns` (250,000), row length (4,000,000), and total buffer size (75,000,000), and adds `LimitReachedError` checks to prevent excessive allocations.

Impact

Successful exploitation leads to a denial‑of‑service condition: the application becomes unresponsive, memory is exhausted, and the system may crash or become unstable. The vulnerability does not allow code execution or data exfiltration, but it can be used to disrupt services that rely on pypdf for PDF processing.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top