VIR Vulnerability Intelligence Relay

CVE-2026-48156

low
Published 2026-05-28 · Modified 2026-05-29
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSS v4 NEW
5.1
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
VIR risk
3.3

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.

Predictions

Exploit likelihood
34%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-48156 NameCVE-2026-48156 Descriptionpypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS,…

CVE-2026-48156

NameCVE-2026-48156
Descriptionpypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138193

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pypdf (PTS)bookworm3.4.1-1+deb12u1vulnerable
trixie5.4.0-1vulnerable
forky, sid6.9.2-1vulnerable
pypdf2 (PTS)bullseye1.26.0-4+deb11u1vulnerable
bookworm2.12.1-3+deb12u1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pypdfsource(unstable)(unfixed)1138193
pypdf2source(unstable)(unfixed)

Notes

https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6
https://github.com/py-pdf/pypdf/pull/3791

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6https://github.com/py-pdf/pypdf/pull/3791

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected
debian debianbullseyeaffected

Application impact
VendorProductVersionsFixed
pypdf_projectpypdf{"endExcluding":"6.12.0"}6.12.0

References

CWEs

CWE-834

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.