CVE-2026-22690 is a resource exhaustion vulnerability classified under CWE-400 affecting the pypdf library, a pure Python PDF processing tool widely used for reading and manipulating PDF files. The issue occurs in versions prior to 6.6.0 when the library processes PDF files that omit the mandatory /Root entry in the trailer dictionary but specify a large /Size value. In non-strict reading mode, this malformed PDF causes the parser to enter a state where it attempts to process an excessive number of objects, leading to prolonged runtimes and high CPU consumption. This uncontrolled resource consumption can degrade system performance or cause denial-of-service conditions in applications relying on pypdf for PDF parsing. The vulnerability requires no authentication or user interaction and can be triggered remotely by supplying a crafted PDF file. The flaw has been addressed in pypdf 6.6.0 by improving validation and handling of the trailer dictionary entries to prevent excessive processing. No public exploits have been reported, and the CVSS v4.0 base score is 2.7, reflecting low severity due to limited impact and ease of mitigation.

For European organizations, the primary impact is potential denial-of-service through resource exhaustion when processing maliciously crafted PDFs with vulnerable pypdf versions. This can affect document management systems, automated PDF processing pipelines, or any service that parses PDFs using pypdf in non-strict mode. While the vulnerability does not lead to code execution or data leakage, prolonged CPU usage can degrade service availability and performance, impacting business operations. Organizations handling large volumes of PDFs, such as legal firms, financial institutions, government agencies, and publishing companies, may experience service disruptions or increased operational costs due to resource strain. The low CVSS score indicates limited risk, but the threat is relevant where pypdf is embedded in critical workflows without strict input validation or sandboxing.

European organizations should upgrade all instances of pypdf to version 6.6.0 or later to eliminate this vulnerability. Where immediate upgrade is not feasible, implement strict input validation to reject PDFs missing the /Root entry or with suspiciously large /Size values before processing. Employ sandboxing or resource-limiting mechanisms (e.g., CPU and memory quotas) around PDF parsing services to contain potential resource exhaustion. Monitor CPU and memory usage patterns for anomalies during PDF processing to detect exploitation attempts. Additionally, configure pypdf to use strict reading mode where possible, as the vulnerability affects only non-strict mode. Regularly audit dependencies and maintain an up-to-date software bill of materials to ensure timely patching of such vulnerabilities.