SB2026042750 - Allocation of Resources Without Limits or Throttling in PyPDF
Published: April 27, 2026
Security Bulletin ID
SB2026042750
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31826)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the content stream parser when parsing a PDF content stream with a manipulated /Length value. A remote attacker can craft a PDF with a large /Length value to cause a denial of service.
This issue primarily affects cases where the library reads from buffers of unknown size, such as file objects opened in binary mode.
Remediation
Install update from vendor's website.