CVE-2026-28351 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the py-pdf pypdf library, a pure Python library used for PDF processing. Versions prior to 6.7.4 are vulnerable to an attack where an adversary crafts a malicious PDF file that exploits the RunLengthDecode filter during content stream parsing. This crafted PDF triggers excessive memory allocation, leading to large memory usage and potentially exhausting system resources. The vulnerability does not require any authentication or user interaction, and it can be triggered remotely by simply processing the malicious PDF. The root cause lies in insufficient validation and control over resource allocation when decoding streams using the RunLengthDecode filter. The issue was addressed and fixed in version 6.7.4 of pypdf, and a workaround is available by applying the changes from pull request #3664. Although no known exploits have been reported in the wild, the vulnerability poses a risk of denial of service (DoS) attacks against applications that rely on pypdf for PDF parsing, especially those processing untrusted or user-supplied PDF files. The CVSS v4.0 base score is 6.9, reflecting a medium severity level due to the ease of exploitation and potential impact on availability.

The primary impact of CVE-2026-28351 is denial of service caused by excessive memory consumption when processing maliciously crafted PDF files. This can lead to application crashes, degraded performance, or complete service outages in systems that utilize vulnerable versions of pypdf for PDF parsing. Organizations that integrate pypdf in document processing pipelines, web applications, or automated PDF handling services are at risk. Attackers can exploit this vulnerability remotely without authentication or user interaction, increasing the attack surface. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can disrupt business operations, especially in environments with high volumes of PDF processing or where PDFs are accepted from untrusted sources. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks. Systems with limited memory resources or those running in multi-tenant environments may be particularly vulnerable to resource exhaustion attacks leveraging this flaw.

To mitigate CVE-2026-28351, organizations should immediately upgrade all instances of the pypdf library to version 6.7.4 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, applying the changes from pull request #3664 as a temporary workaround can reduce risk. Additionally, implement strict input validation and filtering to restrict or sanitize PDF files from untrusted sources before processing. Employ resource limiting techniques such as memory quotas or sandboxing for PDF parsing processes to contain potential resource exhaustion. Monitoring and alerting on abnormal memory usage patterns during PDF processing can help detect exploitation attempts early. Consider isolating PDF processing workloads in separate containers or virtual machines to prevent impact on critical systems. Regularly review and update dependencies to ensure timely application of security patches. Finally, educate developers and system administrators about the risks of processing untrusted PDFs and the importance of using updated libraries.