pypdf possibly has long runtimes for malformed FlateDecode streams
Description
Published to the GitHub Advisory Database
Feb 18, 2026
Reviewed
Feb 18, 2026
Published by the National Vulnerability Database
Feb 20, 2026
Last updated
Feb 23, 2026
Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed
/FlateDecodestream, where the byte-by-byte decompression is used.Patches
This has been fixed in pypdf==6.7.1.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3644.
References