CVE-2026-27888 – This vulnerability in pypdf allows attackers to... (How to Fix)

📋 TL;DR

This vulnerability in pypdf allows attackers to craft malicious PDF files that cause denial of service by exhausting system RAM when the XFA property is accessed and the corresponding stream uses FlateDecode compression. Anyone using pypdf versions before 6.7.3 to process PDF files is affected, particularly applications that parse untrusted PDF input.

💻 Affected Systems

Products:

pypdf

Versions: All versions before 6.7.3

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when accessing the xfa property of a reader or writer with FlateDecode compressed streams.

📦 What is this software?

Pypdf by Pypdf Project

View all CVEs affecting Pypdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to RAM exhaustion, potentially causing service disruption, data loss, or system crashes.

🟠

Likely Case

Denial of service affecting the application processing the PDF, causing service interruption and potential resource exhaustion on the host system.

🟢

If Mitigated

Limited impact with proper input validation and resource limits, though processing of malicious PDFs would still fail.

🌐 Internet-Facing: HIGH if processing user-uploaded PDFs, as attackers can easily craft malicious files.

🏢 Internal Only: MEDIUM if processing internally generated PDFs, but risk exists if any PDFs come from untrusted sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the ability to provide a malicious PDF file to the vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7.3

Vendor Advisory: https://github.com/py-pdf/pypdf/security/advisories/GHSA-x7hp-r3qg-r3cj

Restart Required: No

Instructions:

1. Update pypdf using pip: pip install --upgrade pypdf==6.7.3
2. Verify the update completed successfully
3. Test PDF processing functionality

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patch from the GitHub commit to your local pypdf installation

git clone https://github.com/py-pdf/pypdf.git
cd pypdf
git checkout 7a4c8246ed48d9d328fb596942271da47b6d109c
pip install -e .

🧯 If You Can't Patch

Implement strict input validation to reject PDFs with XFA forms or FlateDecode compression
Deploy resource limits (memory, CPU) on processes that handle PDF parsing

🔍 How to Verify

Check if Vulnerable:

Check pypdf version: python -c "import pypdf; print(pypdf.__version__)" and compare to 6.7.3

Check Version:

python -c "import pypdf; print(pypdf.__version__)"

Verify Fix Applied:

After updating, verify version is 6.7.3 or higher and test with known malicious PDF samples

📡 Detection & Monitoring

Log Indicators:

Memory exhaustion alerts
Process crashes during PDF parsing
High RAM usage by Python processes

Network Indicators:

Multiple PDF uploads to vulnerable endpoints
Unusual PDF file patterns

SIEM Query:

source="application_logs" AND ("pypdf" OR "PDF processing") AND ("crash" OR "memory" OR "out of memory")

📊 Metadata

CVE ID: CVE-2026-27888

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 26, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/py-pdf/pypdf/commit/7a4c8246ed48d9d328fb596942271da47b6d109c Patch
https://github.com/py-pdf/pypdf/pull/3658 Issue Tracking,Patch
https://github.com/py-pdf/pypdf/releases/tag/6.7.3 Product,Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-x7hp-r3qg-r3cj Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27888, you might also want to check these: