CVE-2026-57204
Python Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-57204 is a Denial of Service (DoS) vulnerability in pypdf, a free and open-source pure-Python PDF library, caused by uncontrolled memory consumption when parsing maliciously crafted PDF files. The vulnerability affects all pypdf versions prior to 6.13.3 and was published on June 30, 2026, with the fix released on June 17, 2026. It carries a CVSS v4.0 base score of 6.9 (Medium) (GitHub Advisory, GitHub Advisory DB).

Detalhes técnicos

The root cause is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). pypdf defines a MAX_DECLARED_STREAM_LENGTH constant to cap the amount of data read from PDF content streams; however, this limit was not enforced when a stream lacked a /Length value in its dictionary. An attacker can craft a PDF with a content stream that omits the /Length field, causing pypdf to read and allocate memory without bound, leading to excessive memory usage. The fix, implemented in PR #3871, extends the MAX_DECLARED_STREAM_LENGTH enforcement to cover streams without an explicit length declaration (GitHub Advisory, PR #3871).

Impacto

Successful exploitation causes excessive memory consumption on the host running pypdf, potentially exhausting available system memory and crashing the process or the host application. The impact is limited to availability — there is no confidentiality or integrity impact, and no lateral movement or data exfiltration risk is associated with this vulnerability. Applications that automatically process user-supplied or externally sourced PDF files (e.g., document management systems, web services) are most at risk of service disruption (GitHub Advisory, GitHub Advisory DB).

Etapas de exploração

  1. Craft malicious PDF: Create a PDF file containing a content stream that deliberately omits the /Length dictionary entry, causing pypdf's stream parser to bypass the MAX_DECLARED_STREAM_LENGTH guard.
  2. Deliver the PDF: Submit the crafted PDF to a target application that uses a vulnerable version of pypdf (< 6.13.3) to process PDF files — for example, via a file upload endpoint, email attachment processor, or document conversion service.
  3. Trigger parsing: Cause the application to parse the malicious PDF, which initiates content stream reading without the memory cap being enforced.
  4. Exhaust memory: pypdf reads the stream data without bound, consuming large amounts of system memory, potentially causing the application process to crash or the host to become unresponsive, resulting in a denial of service (GitHub Advisory, PR #3871).

Indicadores de compromisso

  • Process: Sudden spike in memory usage by the Python process running pypdf, potentially reaching system memory limits and triggering OOM (Out of Memory) killer events.
  • Logs: Application error logs showing memory allocation failures, process crashes, or unhandled exceptions during PDF parsing; OS-level logs (e.g., /var/log/syslog) recording OOM kill events for the affected process.
  • File System: Presence of suspicious or unexpected PDF files in upload directories or temporary processing folders that lack standard /Length stream entries (detectable via PDF forensic tools).
  • Network: Repeated submission of PDF files from the same source IP to a PDF-processing endpoint, particularly if followed by service unavailability.

Mitigação e soluções alternativas

Upgrade pypdf to version 6.13.3 or later, which enforces MAX_DECLARED_STREAM_LENGTH for all content streams regardless of whether a /Length value is present. For users unable to upgrade immediately, the changes from PR #3871 can be applied manually as a workaround. Additionally, consider implementing application-level controls such as file size limits and sandboxing PDF processing to reduce the blast radius of any DoS attempt (GitHub Advisory, Release 6.13.3).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Python Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NãoSimJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NãoNãoJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NãoSimJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NãoSimJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NãoSimJun 26, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades