CVE-2026-24688 – CVE-2026-24688 is an infinite loop vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2026-24688 is an infinite loop vulnerability in pypdf, a Python PDF library. Attackers can craft malicious PDFs that cause denial of service when outlines/bookmarks are accessed. All projects using vulnerable pypdf versions are affected.

💻 Affected Systems

Products:

pypdf

Versions: All versions prior to 6.6.2

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when accessing outlines/bookmarks in PDFs, which may not be default behavior in all applications.

📦 What is this software?

Pypdf by Pypdf Project

View all CVEs affecting Pypdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application unavailability, resource exhaustion leading to system instability or crashes.

🟠

Likely Case

Application hangs or becomes unresponsive when processing malicious PDFs, requiring restart.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - PDF processing is common in web applications, making internet-facing systems prime targets.

🏢 Internal Only: MEDIUM - Internal systems processing user-uploaded PDFs remain vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a crafted PDF file and access to PDF processing functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.2

Vendor Advisory: https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73

Restart Required: No

Instructions:

1. Update pypdf: pip install --upgrade pypdf==6.6.2
2. Verify installation: pip show pypdf
3. Test PDF processing functionality

🔧 Temporary Workarounds

Manual patch application

all

Apply changes from PR #3610 manually if upgrade is not possible

Apply the changes from https://github.com/py-pdf/pypdf/pull/3610 to your local pypdf installation

🧯 If You Can't Patch

Implement strict input validation and sanitization for PDF uploads
Add resource limits and timeouts for PDF processing operations

🔍 How to Verify

Check if Vulnerable:

Check pypdf version: pip show pypdf | grep Version

Check Version:

pip show pypdf | grep Version

Verify Fix Applied:

Confirm version is 6.6.2 or higher: pip show pypdf | grep Version

📡 Detection & Monitoring

Log Indicators:

Extended PDF processing times
Application hangs or crashes during PDF operations
High CPU usage from PDF processing tasks

Network Indicators:

Repeated PDF uploads from single source
Unusually large PDF uploads

SIEM Query:

source="application_logs" AND ("PDF processing" OR "pypdf") AND ("timeout" OR "hang" OR "crash")

📊 Metadata

CVE ID: CVE-2026-24688

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-835

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: January 27, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1 Patch
https://github.com/py-pdf/pypdf/pull/3610 Issue Tracking
https://github.com/py-pdf/pypdf/releases/tag/6.6.2 Product,Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24688, you might also want to check these: