
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-57204 is a Denial of Service (DoS) vulnerability in pypdf, a free and open-source pure-Python PDF library, caused by uncontrolled memory consumption when parsing maliciously crafted PDF files. The vulnerability affects all pypdf versions prior to 6.13.3 and was published on June 30, 2026, with the fix released on June 17, 2026. It carries a CVSS v4.0 base score of 6.9 (Medium) (GitHub Advisory, GitHub Advisory DB).
The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). pypdf defines a MAX_DECLARED_STREAM_LENGTH constant to cap the amount of data read from PDF content streams; however, this limit was not enforced when a stream lacked a /Length value in its dictionary. An attacker can craft a PDF with a content stream that omits the /Length field, causing pypdf to read and allocate memory without bound, leading to excessive memory usage. The fix, implemented in PR #3871, extends the MAX_DECLARED_STREAM_LENGTH enforcement to cover streams without an explicit length declaration (GitHub Advisory, PR #3871).
Successful exploitation causes excessive memory consumption on the host running pypdf, potentially exhausting available system memory and crashing the process or the host application. The impact is limited to availability — there is no confidentiality or integrity impact, and no lateral movement or data exfiltration risk is associated with this vulnerability. Applications that automatically process user-supplied or externally sourced PDF files (e.g., document management systems, web services) are most at risk of service disruption (GitHub Advisory, GitHub Advisory DB).
/Length dictionary entry, causing pypdf's stream parser to bypass the MAX_DECLARED_STREAM_LENGTH guard./var/log/syslog) recording OOM kill events for the affected process./Length stream entries (detectable via PDF forensic tools).Upgrade pypdf to version 6.13.3 or later, which enforces MAX_DECLARED_STREAM_LENGTH for all content streams regardless of whether a /Length value is present. For users unable to upgrade immediately, the changes from PR #3871 can be applied manually as a workaround. Additionally, consider implementing application-level controls such as file size limits and sandboxing PDF processing to reduce the blast radius of any DoS attempt (GitHub Advisory, Release 6.13.3).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"