Cyber Resilience

CVE-2026-27888

MediumDDoS

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27888 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Pypdf Project Pypdf. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-27888 is a denial-of-service vulnerability in pypdf, a free and open-source pure-Python PDF library. Versions prior to 6.7.3 are affected, where accessing the `xfa` property of a reader or writer object on a PDF with a stream compressed using `/FlateDecode` can lead to RAM exhaustion. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker (PR:N) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by crafting a malicious PDF file. Upon processing the file and accessing the vulnerable `xfa` property, the library exhausts available RAM, resulting in high-impact availability disruption (A:H) without affecting confidentiality or integrity.

The vulnerability has been fixed in pypdf version 6.7.3. Mitigation involves upgrading to this version, with a manual patch available as a workaround. Relevant advisories and resources include the GitHub security advisory (GHSA-x7hp-r3qg-r3cj), the fixing commit (7a4c8246ed48d9d328fb596942271da47b6d109c), pull request #3658, and the release notes for v6.7.3.

EU & UK References

Vulnerability details

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer…

more

and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE describes remote (AV:N) exploitation of a public-facing application/library via malicious PDF input to trigger application-level resource exhaustion DoS (CWE-400).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33699Same product: Pypdf Project Pypdf
CVE-2026-27628Same product: Pypdf Project Pypdf
CVE-2026-39304Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2025-59472Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-24269Shared CWE-400
CVE-2026-46829Shared CWE-400
CVE-2026-25819Shared CWE-400

Affected Assets

pypdf project
pypdf
≤ 6.7.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws, directly addressing the RAM exhaustion vulnerability by mandating upgrades to pypdf 6.7.3 or application of the patch.

preventdetect

Protects system resources such as RAM from unauthorized consumption, comprehensively mitigating the uncontrolled resource exhaustion triggered by accessing the xfa property on malicious PDFs.

prevent

Employs controls to protect against denial-of-service attacks, including the high-impact availability disruption from remotely crafted PDFs exploiting pypdf.

References