CVE-2026-28804 is an algorithmic complexity vulnerability classified under CWE-407 affecting the py-pdf pypdf library versions prior to 6.7.5. The vulnerability arises when the library processes PDF streams filtered with /ASCIIHexDecode. An attacker can craft a malicious PDF file that causes the library to enter a state of inefficient processing, leading to significantly prolonged runtimes. This can result in resource exhaustion, effectively causing a denial of service (DoS) condition in applications that parse or manipulate PDFs using the vulnerable pypdf versions. The vulnerability does not require any privileges, authentication, or user interaction, making it remotely exploitable by simply providing the malicious PDF input. The root cause is the inefficient handling of the ASCIIHexDecode filter stream, which can be exploited to trigger excessive CPU consumption. The issue was addressed and patched in pypdf version 6.7.5, which optimizes the decoding process to prevent such runtime degradation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on availability (VA:L), with no impact on confidentiality or integrity. No known exploits have been reported in the wild as of the publication date. This vulnerability primarily affects any software or services that rely on pypdf for PDF processing and have not updated to the fixed version.

The primary impact of CVE-2026-28804 is a denial of service condition caused by resource exhaustion due to inefficient processing of crafted PDF files. Organizations using vulnerable versions of pypdf in automated PDF processing pipelines, document management systems, or web services that accept PDF uploads are at risk. Exploitation could lead to application slowdowns, crashes, or unavailability, disrupting business operations and potentially causing service outages. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are unlikely. However, the availability impact can be significant for high-volume or critical PDF processing environments. Attackers could leverage this vulnerability to perform targeted DoS attacks against organizations that rely on pypdf, especially if exposed to untrusted PDF inputs. The lack of authentication or user interaction requirements increases the risk of exploitation. While no known exploits exist currently, the medium severity and ease of exploitation warrant prompt remediation to prevent future attacks.

To mitigate CVE-2026-28804, organizations should immediately upgrade all instances of the pypdf library to version 6.7.5 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement input validation and filtering to block or sanitize PDF files containing /ASCIIHexDecode streams from untrusted sources. Employ rate limiting and resource usage monitoring on PDF processing services to detect and mitigate abnormal processing times indicative of exploitation attempts. Consider sandboxing or isolating PDF processing components to contain potential denial of service impacts. Additionally, maintain updated threat intelligence to monitor for any emerging exploits targeting this vulnerability. Regularly audit and update third-party dependencies like pypdf to ensure timely application of security patches. Finally, educate developers and system administrators about the risks of algorithmic complexity vulnerabilities and the importance of secure PDF handling.