pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
PUBLISHED5.2CWE-400
Manipulated RunLengthDecode streams can exhaust RAM
Problem type
Affected products
py-pdf
pypdf
< 6.7.4 - AFFECTED
References
https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg
https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg
https://github.com/py-pdf/pypdf/pull/3664
https://github.com/py-pdf/pypdf/pull/3664
https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858
https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858
https://github.com/py-pdf/pypdf/releases/tag/6.7.4
https://github.com/py-pdf/pypdf/releases/tag/6.7.4
GitHub Security Advisories
GHSA-f2v5-7jq9-h8cg
pypdf: Manipulated RunLengthDecode streams can exhaust RAM
https://github.com/advisories/GHSA-f2v5-7jq9-h8cgImpact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.
Patches
This has been fixed in pypdf==6.7.4.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3664.
github.com
https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-28351
github.com
https://github.com/py-pdf/pypdf/pull/3664
github.com
https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858
github.com
https://github.com/py-pdf/pypdf/releases/tag/6.7.4
github.com
https://github.com/advisories/GHSA-f2v5-7jq9-h8cg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-28351Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-28351",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-27T20:59:16.839Z",
"dateReserved": "2026-02-26T18:38:13.890Z",
"datePublished": "2026-02-27T20:59:16.839Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-27T20:59:16.839Z"
},
"title": "Manipulated RunLengthDecode streams can exhaust RAM",
"descriptions": [
{
"lang": "en",
"value": "pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664."
}
],
"affected": [
{
"vendor": "py-pdf",
"product": "pypdf",
"versions": [
{
"version": "< 6.7.4",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-400: Uncontrolled Resource Consumption",
"cweId": "CWE-400",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg",
"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/py-pdf/pypdf/pull/3664",
"name": "https://github.com/py-pdf/pypdf/pull/3664",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858",
"name": "https://github.com/py-pdf/pypdf/commit/f309c6003746414dc7b5048c19e6d879ff2dc858",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4",
"name": "https://github.com/py-pdf/pypdf/releases/tag/6.7.4",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}