Cyber Resilience

CVE-2026-27628

Low

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 1.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.7th percentile
Risk Priority 2 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27628 is a low-severity Infinite Loop (CWE-835) vulnerability in Pypdf Project Pypdf. Its CVSS base score is 1.2 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27628 is a denial-of-service vulnerability in pypdf, a free and open-source pure-python PDF library. Versions prior to 6.7.2 are affected, where processing a specially crafted PDF file triggers an infinite loop (CWE-835: Loop with Unreachable Exit Condition). The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high availability impact with no requirements for privileges or user interaction.

A remote attacker can exploit this vulnerability by crafting a malicious PDF file and inducing a victim to process it using a vulnerable pypdf installation, such as in a PDF parsing application or service. This leads to an infinite loop during file reading, causing resource exhaustion and denial of service on the affected system or process.

The vulnerability has been fixed in pypdf version 6.7.2. As a workaround, users can manually apply the patch from the referenced commit. Official advisories and discussions are available in the pypdf GitHub security advisory (GHSA-2rw7-x74f-jg35) and related issues.

EU & UK References

Vulnerability details

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2.…

more

As a workaround, one may apply the patch manually.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Infinite loop in PDF parsing library directly enables application exploitation resulting in endpoint DoS via resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33699Same product: Pypdf Project Pypdf
CVE-2026-27888Same product: Pypdf Project Pypdf
CVE-2026-26283Shared CWE-835
CVE-2026-39806Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-44302Shared CWE-835
CVE-2026-31448Shared CWE-835
CVE-2026-42899Shared CWE-835
CVE-2026-23451Shared CWE-835
CVE-2026-21507Shared CWE-835

Affected Assets

pypdf project
pypdf
≤ 6.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing the vulnerability by mandating updates to pypdf version 6.7.2 to eliminate the infinite loop during PDF processing.

prevent

SC-5 implements denial-of-service protections such as resource limits and timeouts to prevent resource exhaustion from the infinite loop triggered by malicious PDFs.

prevent

SI-10 enforces input validation to detect and reject specially crafted PDFs that could trigger the unreachable exit condition in pypdf processing.

References