CVE-2026-22691 is a vulnerability identified in the py-pdf pypdf library, a pure-Python PDF processing library widely used for reading and manipulating PDF files. The flaw arises from inefficient handling of malformed startxref entries during the rebuilding of the cross-reference table in PDF files. Specifically, when operating in non-strict reading mode, the library's regular expressions used to parse the startxref section can exhibit excessive complexity when encountering PDFs with large amounts of whitespace characters. This inefficiency can cause the parsing process to consume excessive CPU resources, leading to significantly prolonged runtimes or potential denial of service conditions. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption). Exploitation requires no authentication or user interaction and can be triggered remotely by supplying a crafted PDF file to an application using a vulnerable pypdf version below 6.6.0. The issue has been addressed in pypdf version 6.6.0 by optimizing the parsing logic and mitigating the regex complexity. No known exploits have been reported in the wild as of the publication date. The CVSS v4.0 base score is 2.7, reflecting a low severity primarily due to the limited impact scope and lack of confidentiality, integrity, or availability compromise beyond resource exhaustion.

For European organizations, the primary impact of this vulnerability is the potential for denial of service or significant performance degradation in systems that rely on pypdf for automated PDF processing, such as document management platforms, content ingestion pipelines, or PDF validation tools. Attackers could supply maliciously crafted PDFs to disrupt services, causing downtime or delayed processing. While the vulnerability does not lead to data leakage or code execution, the resource exhaustion could affect availability and operational continuity. Organizations handling large volumes of PDFs or exposed to untrusted PDF inputs are at higher risk. The impact is more pronounced in environments where non-strict parsing mode is enabled, which may be used to tolerate malformed PDFs but increases vulnerability exposure. Given the low CVSS score and absence of known exploits, the immediate risk is limited but should not be ignored in critical document processing workflows.

To mitigate this vulnerability, European organizations should upgrade all instances of pypdf to version 6.6.0 or later, where the issue has been patched. If upgrading is not immediately feasible, disabling or avoiding the use of non-strict reading mode in PDF parsing can reduce exposure. Implement input validation and filtering to detect and block suspicious PDFs with excessive whitespace or malformed startxref sections before processing. Employ resource usage monitoring and timeouts on PDF parsing operations to prevent prolonged runtimes from impacting system availability. Additionally, consider sandboxing PDF processing components to isolate potential denial of service effects. Regularly review and update dependencies to incorporate security patches promptly. Finally, educate developers and system administrators about this vulnerability to ensure awareness and timely remediation.