Skip to content

Possible infinite loop when loading circular /Prev entries in cross-reference streams

Moderate
stefan6419846 published GHSA-2rw7-x74f-jg35 Feb 22, 2026

Package

pip pypdf (pip)

Affected versions

< 6.7.2

Patched versions

>= 6.7.2

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.

Patches

This has been fixed in pypdf==6.7.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3655.

Severity

Moderate

CVE ID

CVE-2026-27628

Weaknesses

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. Learn more on MITRE.

Credits