CVE-2026-33699
Published: 27 March 2026
Summary
CVE-2026-33699 is a high-severity Infinite Loop (CWE-835) vulnerability in Pypdf Project Pypdf. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates identification, reporting, and correction of system flaws, directly requiring patching of the pypdf library to version 6.9.2 to remediate the infinite loop vulnerability.
CM-6 requires configuration settings for software like pypdf to enforce strict parsing mode, preventing the non-strict mode condition that triggers the infinite loop.
SC-5 implements protections against denial-of-service events, limiting the availability impact of resource exhaustion from the crafted PDF infinite loop.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote DoS via crafted PDF supplied to vulnerable pypdf parser in public-facing apps/services (T1190 Exploit Public-Facing Application) and directly achieves Endpoint DoS via software exploitation causing infinite loop (T1499.004 Application or System Exploitation).
NVD Description
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has…
more
been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Deeper analysisAI
CVE-2026-33699 is a denial-of-service vulnerability (CWE-835: Loop with Unreachable Exit Condition) affecting the pypdf library, a free and open-source pure-Python PDF processing tool. Versions prior to 6.9.2 are vulnerable when processing a specially crafted PDF file in non-strict mode, which triggers an infinite loop during file reading. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact availability disruption without requiring authentication or user interaction.
An attacker can exploit this vulnerability remotely by supplying a malicious PDF to any application or service that uses a vulnerable version of pypdf in non-strict mode for PDF parsing. Successful exploitation leads to an infinite loop, causing the affected process to hang or consume excessive resources, resulting in denial of service. No privileges are needed, and the attack requires low complexity, making it accessible to remote unauthenticated actors targeting PDF-handling workflows.
The vulnerability has been addressed in pypdf version 6.9.2, as detailed in the project's release notes and security advisory (GHSA-87mj-5ggw-8qc3). Users unable to upgrade immediately can manually apply the fix from the corresponding pull request. Security practitioners should audit dependencies for vulnerable pypdf versions and enforce strict parsing mode where feasible to mitigate exposure.
Details
- CWE(s)