CVE-2026-22691 identifies a vulnerability in the pypdf library, a pure-Python PDF processing tool widely used for reading and manipulating PDF files. The flaw arises from inefficient handling of malformed startxref entries during the reconstruction of the PDF cross-reference table in non-strict reading mode. Specifically, PDFs crafted with numerous whitespace characters in the startxref section cause the regular expression engine to consume excessive CPU time, resulting in long runtimes and potential denial of service conditions. This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption). Exploitation requires no privileges or user interaction and can be triggered remotely by supplying a malicious PDF to an application using a vulnerable pypdf version below 6.6.0. The impact is limited to performance degradation rather than confidentiality or integrity compromise. The issue was addressed in pypdf version 6.6.0 by optimizing the parsing logic to handle whitespace more efficiently and prevent excessive resource consumption. No public exploits have been reported, but automated PDF processing systems remain at risk if they accept untrusted inputs in non-strict mode.

For European organizations, the primary impact is potential denial of service or significant performance degradation in systems that utilize vulnerable versions of pypdf for PDF processing, especially in automated workflows handling untrusted or malformed PDF documents. This could affect document management systems, automated data extraction pipelines, and other services relying on pypdf. While the vulnerability does not directly compromise data confidentiality or integrity, prolonged processing times could disrupt business operations, delay document handling, and increase resource consumption, potentially leading to service outages. Organizations in sectors with heavy document processing demands, such as legal, financial, and government institutions, may experience operational impacts. The low CVSS score reflects the limited scope and ease of mitigation, but the risk remains relevant where patching is delayed or non-strict mode is necessary.

1. Upgrade all instances of pypdf to version 6.6.0 or later, where the vulnerability is patched. 2. Avoid using non-strict reading mode when processing PDFs from untrusted or external sources, as this mode is specifically affected. 3. Implement input validation and sanitization to detect and reject malformed or suspicious PDF files before processing. 4. Monitor PDF processing systems for unusual CPU or memory usage patterns that may indicate exploitation attempts. 5. Employ rate limiting and resource quotas on PDF processing services to mitigate potential denial of service impacts. 6. Integrate security testing into the software development lifecycle to detect similar inefficiencies in third-party libraries. 7. Maintain an inventory of software dependencies and ensure timely updates for libraries handling complex file formats like PDF.