Listen to this Post
How CVE-2026-24688 Works
pypdf is a free and open-source pure-Python PDF library used for splitting, merging, cropping, and transforming PDF files. The library processes PDF outlines and bookmarks, which are navigational elements within a document. Prior to version 6.6.2, pypdf’s `_get_outline()` method in `pypdf/_doc_common.py` contained a critical flaw: it lacked any form of cycle detection or visited-set tracking when traversing outline nodes.
The vulnerable code operated in a `while True` loop that followed `/Next` pointers from one outline item to the next. Because there was no mechanism to record which nodes had already been visited, a malicious actor could craft a PDF containing circular outline references. In such a PDF, outline item A points to item B as its /Next, and item B points back to item A, creating an infinite cycle.
When an application using a vulnerable pypdf version attempts to access or parse the outlines of this malicious PDF—for example, by calling reader.outlines—the parser enters this loop and never exits. Each iteration of the loop allocates new memory for outline objects, causing linear memory growth that quickly exhausts available RAM. This is classified as a CWE-835: Loop with Unreachable Exit Condition.
The impact is severe: in real-world tests, processing a 754-byte malicious PDF consumed over 30GB of memory within minutes, caused all CPU cores to reach 100% usage, and ultimately required a hard system reboot. This is a system-level Denial of Service (DoS), not merely an application crash. The vulnerability is triggered simply by accessing the outlines/bookmarks of a PDF, making it exploitable in any application that processes untrusted PDF content.
DailyCVE Form
Platform: pypdf
Version: <6.6.2
Vulnerability: Infinite Loop
Severity: Moderate (CVSS 4.3)
date: 2026-01-26
Prediction: 2026-01-27 (fixed)
What Undercode Say
Install vulnerable version pip install "pypdf==6.6.0" Create malicious PDF with circular outline references (POC) python3 create_malicious_pdf.py Trigger the infinite loop python3 simple_read_pdf.py malicious_circular_outline.pdf Or run automated test with timeout protection chmod +x test_pypdf.sh ./test_pypdf.sh
Vulnerable Code (pypdf/_doc_common.py, lines 858-873):
def _get_outline(self, node, outline=None): while True: ❌ NO cycle detection! outline_obj = self._build_outline_item(node) if outline_obj: outline.append(outline_obj) ❌ Heap allocation in loop! if "/Next" not in node: break node = node["/Next"] ❌ Follows circular references
Fixed Code (pypdf 6.6.2):
PR 3610 introduced a visited set to track processed nodes
visited = set()
while node is not None and node not in visited:
visited.add(node)
... process outline item ...
node = node.get("/Next")
Exploit
An attacker crafts a PDF file where outline entries form a circular reference (e.g., `/Next` pointers create a loop). The file can be as small as 754 bytes. When a vulnerable pypdf instance processes this file and accesses its outlines, the library enters an infinite loop, consuming 100% CPU and allocating memory until system resources are exhausted. The attack requires no authentication and can be triggered remotely by supplying the malicious PDF to any application that uses pypdf to process user-supplied documents.
Protection
- Upgrade immediately to pypdf version 6.6.2 or later.
- If upgrading is not possible, manually apply the changes from PR 3610, which adds a visited set to prevent circular traversal.
- Implement resource limits and timeouts in applications that process untrusted PDFs to prevent complete system exhaustion.
- Consider input sanitization and restrict PDF processing to trusted sources where feasible.
Impact
- Denial of Service: System-wide crash requiring hard reboot
- Resource Exhaustion: 30GB+ memory consumption, 100% CPU utilization
- No Data Breach: The vulnerability affects availability only (CIA triad: Availability)
- Affected Versions: All pypdf releases prior to 6.6.2
- Attack Vector: Remote, via crafted PDF file
- User Interaction: Required (victim must process the malicious PDF)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
