Denial of Service via crafted PDF inline image
Summary
pypdf is a free and open-source pure-python PDF library. Prior to 6.14.1, an attacker can craft a PDF with a page content stream containing a not terminated inline image, causing an infinite loop during inline image end marker detection such as when extracting page text. This issue is fixed in version 6.14.1. When a user processes this crafted PDF, such as during text extraction, the vulnerability causes an infinite loop, leading to a Denial of Service (DoS) condition. This issue impacts the availability of the pypdf application. This Moderate-impact flaw in the pypdf library can lead to a denial of service. A remote attacker could provide a specially crafted PDF document containing an unterminated inline image, causing an infinite loop when the document is processed, such as during text extraction. This issue primarily affects the availability of applications that handle untrusted PDF content. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-835. Affected Red Hat products: Exploit Intelligence; OpenShift Lightspeed; Red Hat Ansible Automation Platform 2; Red Hat Enterprise Linux AI (RHEL AI) 3; Red Hat OpenShift AI (RHOAI); Red Hat Quay 3. Red Hat does not currently list a fixing RHSA for this CVE.
- < 6.14.1
Official advisory · high-confidence parse· fetched 15 minutes ago·verify at source
- 6.14.1
Official advisory · high-confidence parse· fetched 15 minutes ago·verify at source
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 15 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.