{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54530", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-15T18:40:01.651Z", "datePublished": "2026-06-22T20:25:29.305Z", "dateUpdated": "2026-06-23T16:11:37.526Z"}, "containers": {"cna": {"title": "pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4"}, {"name": "https://github.com/py-pdf/pypdf/pull/3830", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/pull/3830"}, {"name": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0"}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"version": "< 6.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T20:25:29.305Z"}, "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0."}], "source": {"advisory": "GHSA-52x6-gq3r-vpf4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T14:52:35.536228Z", "id": "CVE-2026-54530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T16:11:37.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T14:52:35.536228Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:52:39.195Z"}}], "cna": {"title": "pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction", "source": {"advisory": "GHSA-52x6-gq3r-vpf4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "py-pdf", "product": "pypdf", "versions": [{"status": "affected", "version": "< 6.13.0"}]}], "references": [{"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4", "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/py-pdf/pypdf/pull/3830", "name": "https://github.com/py-pdf/pypdf/pull/3830", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0", "name": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T20:25:29.305Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54530", "state": "PUBLISHED", "dateUpdated": "2026-06-23T15:06:25.240Z", "dateReserved": "2026-06-15T18:40:01.651Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T20:25:29.305Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "pypdf: python-pypdf: pypdf: Denial of Service via crafted PDF processing", "id": "2491528", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491528"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0.", "A flaw was found in pypdf, a pure-python PDF library. An attacker can craft a malicious PDF file that, when processed by a system extracting text in layout mode, can lead to an infinite loop. This vulnerability results in a Denial of Service (DoS), making the affected system unresponsive."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted PDF files with applications that utilize the pypdf library for text extraction in layout mode. If possible, configure applications to disable text extraction in layout mode or restrict the sources of PDF files to trusted origins.\nUpdate to 6.13.0+ version to fix the vulnerability."}, "name": "CVE-2026-54530", "package_state": [{"cpe": "cpe:/a:redhat:exploit_intelligence:0", "fix_state": "Fix deferred", "package_name": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9", "product_name": "Exploit Intelligence"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-ocp-rag-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-06-22T20:25:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-54530\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-54530\nhttps://github.com/py-pdf/pypdf/pull/3830\nhttps://github.com/py-pdf/pypdf/releases/tag/6.13.0\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4"], "statement": "This Moderate impact flaw in pypdf affects Red Hat products that process untrusted PDF files and extract text in layout mode. An attacker could provide a specially crafted PDF, leading to an infinite loop and a Denial of Service. The vulnerability requires specific processing conditions, contributing to its Moderate severity.\nAffected method: extract_text(extraction_mode=\"layout\")", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.13.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pypdf", "source": "cna", "vendor": "py-pdf"}, "product": "pypdf", "vendor": "py-pdf"}], "created": "2026-06-22T22:30:07.429061+00:00", "updated": "2026-06-23T00:15:03.602908+00:00", "vendors": ["py-pdf", "py-pdf$PRODUCT$pypdf"]}