The vulnerability identified as CVE-2026-33123 affects the py-pdf pypdf library, a pure Python library widely used for PDF manipulation and parsing. Versions prior to 6.9.1 contain a flaw related to uncontrolled resource consumption (CWE-400) and improper resource management (CWE-407). Specifically, when pypdf processes a crafted PDF containing an array-based stream with a large number of entries, it can cause excessive CPU usage and memory allocation. This leads to significantly prolonged processing times and potential exhaustion of system resources, effectively resulting in a denial-of-service (DoS) condition. The vulnerability does not require any privileges, authentication, or user interaction to be exploited; simply parsing the malicious PDF triggers the issue. The root cause lies in the inefficient handling of large array streams within the PDF structure, which pypdf fails to limit or manage properly. The maintainers addressed this issue in version 6.9.1 by implementing safeguards to prevent excessive resource consumption during parsing. No public exploits have been reported, but the vulnerability poses a risk to any application or service that uses vulnerable pypdf versions to process untrusted PDF files.

Organizations using pypdf versions prior to 6.9.1 in their software stacks are at risk of denial-of-service attacks via malicious PDFs. This can impact web applications, document processing services, automated PDF workflows, and any system that parses PDFs without strict input validation. The resource exhaustion can degrade system performance, cause application crashes, or lead to service outages, impacting availability. Since pypdf is a popular open-source library, the vulnerability could affect a wide range of industries including finance, legal, healthcare, and government sectors that rely on PDF processing. Although no data confidentiality or integrity compromise is indicated, the availability impact can disrupt business operations and cause reputational damage. The ease of exploitation—requiring only a crafted PDF—makes this vulnerability a practical concern for organizations accepting PDFs from external or untrusted sources.

The primary mitigation is to upgrade all instances of pypdf to version 6.9.1 or later, where the vulnerability is fixed. Organizations should audit their software dependencies to identify and update vulnerable pypdf versions promptly. Additionally, implement strict input validation and sandboxing for PDF processing components to limit resource usage and isolate failures. Employ resource limits (CPU, memory) at the application or container level to prevent a single PDF from exhausting system resources. Monitor PDF processing logs and system metrics for abnormal spikes in resource consumption that may indicate exploitation attempts. Where feasible, restrict PDF uploads or processing to trusted sources or apply PDF sanitization tools before parsing. Finally, maintain an incident response plan to quickly address potential denial-of-service incidents related to PDF processing.