CVE-2026-28351 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the pypdf library, a widely used pure-Python PDF processing tool. The flaw exists in versions prior to 6.7.4 and is triggered when parsing PDF content streams that utilize the RunLengthDecode filter. An attacker can craft a specially designed PDF file that causes the library to consume excessive amounts of memory during decoding, leading to potential denial of service conditions such as application crashes or system resource exhaustion. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by simply processing a malicious PDF document. The root cause is insufficient control over resource allocation during the decoding process, allowing the attacker to amplify memory usage. The issue was addressed in pypdf version 6.7.4, which includes fixes to limit resource consumption during RunLengthDecode processing. As a temporary mitigation, applying the changes from pull request #3664 can reduce risk. No public exploits have been reported yet, but the vulnerability poses a risk to any Python applications that automatically parse or handle untrusted PDF files using vulnerable pypdf versions. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and a medium impact on availability, resulting in a score of 6.9.

The primary impact of CVE-2026-28351 is denial of service through resource exhaustion. Organizations that use pypdf in automated workflows, document processing pipelines, or web services that accept PDF uploads are at risk of having their systems overwhelmed by maliciously crafted PDFs. This can lead to application crashes, degraded performance, or complete service outages, affecting availability and potentially causing operational disruptions. Since the vulnerability does not compromise confidentiality or integrity directly, the main concern is service reliability. However, denial of service in critical document processing systems could indirectly affect business continuity and user trust. The ease of exploitation without authentication or user interaction increases the threat level, especially for internet-facing services. Although no exploits are currently known in the wild, the widespread use of pypdf in Python applications globally means many organizations could be exposed if they have not updated to version 6.7.4 or applied mitigations. This vulnerability could also be leveraged as part of multi-stage attacks to distract or degrade defenses.

To mitigate CVE-2026-28351, organizations should immediately upgrade all instances of the pypdf library to version 6.7.4 or later, where the vulnerability is fixed. For environments where immediate upgrade is not feasible, applying the changes from pull request #3664 is recommended as a temporary workaround to limit resource consumption during RunLengthDecode processing. Additionally, implement strict input validation and filtering to block or quarantine suspicious PDF files before processing, especially those from untrusted sources. Employ resource usage monitoring and limits (e.g., memory and CPU quotas) on services that parse PDFs to detect and contain abnormal consumption patterns. Consider sandboxing PDF processing components to isolate failures and prevent system-wide impact. Regularly audit and update all dependencies to reduce exposure to known vulnerabilities. Finally, maintain comprehensive logging and alerting to identify potential exploitation attempts early.