CVE-2026-27628
Published: 25 February 2026
Summary
CVE-2026-27628 is a low-severity Infinite Loop (CWE-835) vulnerability in Pypdf Project Pypdf. Its CVSS base score is 1.2 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27628 is a denial-of-service vulnerability in pypdf, a free and open-source pure-python PDF library. Versions prior to 6.7.2 are affected, where processing a specially crafted PDF file triggers an infinite loop (CWE-835: Loop with Unreachable Exit Condition). The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no requirements for privileges or user interaction.
A remote attacker can exploit this vulnerability by crafting a malicious PDF file and inducing a victim to process it using a vulnerable pypdf installation, such as in a PDF parsing application or service. This leads to an infinite loop during file reading, causing resource exhaustion and denial of service on the affected system or process.
The vulnerability has been fixed in pypdf version 6.7.2. As a workaround, users can manually apply the patch from the referenced commit. Official advisories and discussions are available in the pypdf GitHub security advisory (GHSA-2rw7-x74f-jg35) and related issues.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8601
Vulnerability details
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2.…
more
As a workaround, one may apply the patch manually.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Infinite loop in PDF parsing library directly enables application exploitation resulting in endpoint DoS via resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing the vulnerability by mandating updates to pypdf version 6.7.2 to eliminate the infinite loop during PDF processing.
SC-5 implements denial-of-service protections such as resource limits and timeouts to prevent resource exhaustion from the infinite loop triggered by malicious PDFs.
SI-10 enforces input validation to detect and reject specially crafted PDFs that could trigger the unreachable exit condition in pypdf processing.