Public February 2026
pypdf Allowed RunLengthDecode Streams to Exhaust RAM
BugBunny.ai reported that pypdf could be forced into excessive memory consumption when parsing attacker-crafted RunLengthDecode content streams. A malicious PDF could drive large allocations and deny service to applications that ingest untrusted documents.
TL;DR
Attackers can cause resource exhaustion and parser instability by supplying a crafted PDF.
RunLengthDecode-compressed PDF content streams parsed by pypdf.
pypdf releases before 6.7.4.
Published and fixed in pypdf 6.7.4.
Root Cause
The vulnerable parsing path allowed manipulated RunLengthDecode streams to expand into far more in-memory data than the parser safely bounded. That made RAM use proportional to attacker-controlled expansion rather than reasonable document limits.
Even without direct code execution, this kind of parser behavior is operationally dangerous because document-processing services often handle untrusted PDFs automatically. Excessive allocation pressure can crash workers or destabilize shared infrastructure.
Product
pypdf
Affected
< 6.7.4
Patched
>= 6.7.4
Weaknesses
CWE-400: Uncontrolled Resource Consumption
Mitigation
- Upgrade to pypdf 6.7.4 or later.
- Apply the upstream mitigation from PR #3664 if an immediate upgrade is not possible.
- Treat PDF parsing as untrusted input handling and enforce process-level memory limits where feasible.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-f2v5-7jq9-h8cg after coordinated disclosure with the pypdf maintainers.