Source: pypdf
Version: 6.9.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for pypdf.

CVE-2026-59935[0]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.14.2, an attacker can craft a PDF with a page content stream
| containing a not terminated inline image that uses the ASCII85 or
| ASCIIHex filters, causing an infinite loop during parsing such as
| when extracting page text. This issue is fixed in version 6.14.2.


CVE-2026-59936[1]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.14.1, an attacker can craft a PDF with a page content stream
| containing a not terminated inline image, causing an infinite loop
| during inline image end marker detection such as when extracting
| page text. This issue is fixed in version 6.14.1.


CVE-2026-59937[2]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.14.0, an attacker can craft a PDF with repeated malformed cross-
| reference streams that cause pypdf to spend long runtimes recovering
| broken cross-reference table entries. This issue is fixed in version
| 6.14.0.


CVE-2026-59938[3]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.14.0, an attacker can craft a PDF with declared image size values
| that are much too large compared to the actual data, causing large
| memory usage in pypdf image parsing. This issue is fixed in version
| 6.14.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-59935
    https://www.cve.org/CVERecord?id=CVE-2026-59935
[1] https://security-tracker.debian.org/tracker/CVE-2026-59936
    https://www.cve.org/CVERecord?id=CVE-2026-59936
[2] https://security-tracker.debian.org/tracker/CVE-2026-59937
    https://www.cve.org/CVERecord?id=CVE-2026-59937
[3] https://security-tracker.debian.org/tracker/CVE-2026-59938
    https://www.cve.org/CVERecord?id=CVE-2026-59938

Regards,
Salvatore

Reply via email to