pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
PUBLISHED5.2CWE-400
pypdf: Possible large memory usage for form XObjects during text extraction
Problem type
Affected products
py-pdf
pypdf
< 6.12.2 - AFFECTED
References
https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v
https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v
https://github.com/py-pdf/pypdf/pull/3805
https://github.com/py-pdf/pypdf/pull/3805
https://github.com/py-pdf/pypdf/releases/tag/6.12.2
https://github.com/py-pdf/pypdf/releases/tag/6.12.2
GitHub Security Advisories
GHSA-j543-4vmf-qm7v
pypdf: Possible large memory usage for form XObjects during text extraction
https://github.com/advisories/GHSA-j543-4vmf-qm7vImpact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references.
Patches
This has been fixed in pypdf==6.12.2.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3805.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-49461Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-49461",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T20:27:16.174Z",
"dateReserved": "2026-05-30T04:17:43.094Z",
"datePublished": "2026-06-22T20:27:16.174Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T20:27:16.174Z"
},
"title": "pypdf: Possible large memory usage for form XObjects during text extraction",
"descriptions": [
{
"lang": "en",
"value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2."
}
],
"affected": [
{
"vendor": "py-pdf",
"product": "pypdf",
"versions": [
{
"version": "< 6.12.2",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-400: Uncontrolled Resource Consumption",
"cweId": "CWE-400",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v",
"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-j543-4vmf-qm7v",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/py-pdf/pypdf/pull/3805",
"name": "https://github.com/py-pdf/pypdf/pull/3805",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.12.2",
"name": "https://github.com/py-pdf/pypdf/releases/tag/6.12.2",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}