CVE-2026-28351: CVE-2026-28351: Uncontrolled Resource Consumption in pypdf RunLengthDecode

Source: Dev.to

Vulnerability Overview

• CVE ID: CVE-2026-28351
• CWE ID: CWE-400
• CVSS v4.0 Score: 6.9
• Published: 2026-02-28
• Attack Vector: Network
• Impact: Denial of Service (DoS)
• Exploit Status: PoC Available

Affected Component

The issue exists in the pypdf library versions prior to 6.7.4. The vulnerability is located in the RunLengthDecode filter implementation.

Technical Details

A crafted PDF containing a malformed Run‑Length Encoding (RLE) stream can cause the decoder to:

• Enter an infinite loop, or
• Allocate memory without bound, leading to an Out‑Of‑Memory (OOM) condition.

This results in a denial‑of‑service condition for applications that process untrusted PDFs without strict resource limits.

Code Change Fix

The fix introduced in version 6.7.4 adds a maximum output length check:

+ RUN_LENGTH_MAX_OUTPUT_LENGTH = 75_000_000
+ if total_length > RUN_LENGTH_MAX_OUTPUT_LENGTH:
+     raise LimitReachedError("Limit reached while decompressing.")

Remediation

1. Upgrade the library:

   pip install "pypdf>=6.7.4"

2. Restart any services that load the library to ensure the new version is used.

3. Apply additional hardening measures:

   • Impose memory limits on worker processes that parse PDFs.
   • Validate PDF file structure before full processing.

References

• GitHub Security Advisory: GHSA-f2v5-7jq9-h8cg
• Pull Request #3664: Add max output length check to RunLengthDecode
• PyPI release: pypdf 6.7.4

For a full analysis, see the detailed report for CVE‑2026‑28351 on the vendor’s website.