Nixpkgs security tracker

Untriaged

Permalink CVE-2026-48155

4.8 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 3 days, 8 hours ago Activity log

Created suggestion 3 days, 8 hours ago

pypdf: Possible large memory usage for large offsets for layout mode text

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0.

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-cj93-chg6-vgv8 x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3790 x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.12.0 x_refsource_MISC

Affected products

pypdf

==< 6.12.0

Matching in nixpkgs

pkgs.capypdf

Fully color managed PDF generation library

nixos-unstable 0.20.0
- nixpkgs-unstable 0.20.0
- nixos-unstable-small 0.20.0
nixos-25.11 0.18.0
- nixos-25.11-small 0.18.0
- nixpkgs-25.11-darwin 0.18.0

pkgs.python312Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

nixos-25.11 6.10.2
- nixos-25.11-small 6.10.2
- nixpkgs-25.11-darwin 6.10.2

pkgs.python313Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

nixos-unstable 6.10.2
- nixpkgs-unstable 6.10.2
- nixos-unstable-small 6.10.2
nixos-25.11 6.10.2
- nixos-25.11-small 6.10.2
- nixpkgs-25.11-darwin 6.10.2

pkgs.python314Packages.pypdf

Pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files

nixos-unstable 6.10.2
- nixpkgs-unstable 6.10.2
- nixos-unstable-small 6.10.2

pkgs.python312Packages.pypdf2

Pure-Python library built as a PDF toolkit

nixos-25.11 pypdf2-3.0.1
- nixos-25.11-small pypdf2-3.0.1
- nixpkgs-25.11-darwin pypdf2-3.0.1

pkgs.python312Packages.pypdf3

Pure-Python library built as a PDF toolkit

nixos-25.11 pypdf3-1.0.6
- nixos-25.11-small pypdf3-1.0.6
- nixpkgs-25.11-darwin pypdf3-1.0.6

pkgs.python313Packages.pypdf2

Pure-Python library built as a PDF toolkit

nixos-unstable pypdf2-3.0.1
- nixpkgs-unstable pypdf2-3.0.1
- nixos-unstable-small pypdf2-3.0.1
nixos-25.11 pypdf2-3.0.1
- nixos-25.11-small pypdf2-3.0.1
- nixpkgs-25.11-darwin pypdf2-3.0.1

pkgs.python313Packages.pypdf3

Pure-Python library built as a PDF toolkit

nixos-unstable pypdf3-1.0.6
- nixpkgs-unstable pypdf3-1.0.6
- nixos-unstable-small pypdf3-1.0.6
nixos-25.11 pypdf3-1.0.6
- nixos-25.11-small pypdf3-1.0.6
- nixpkgs-25.11-darwin pypdf3-1.0.6