Tools: CVE-2026-24688: Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688)

Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688) ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: b1282f8 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-24688 CVSS Score: 7.5 Published: 2026-01-26 A Denial of Service (DoS) vulnerability in the popular pypdf library allows attackers to trigger an infinite loop by crafting a PDF with cyclic outline references. This results in 100% CPU utilization and application hangs. The pypdf library (< 6.6.2) fails to detect cycles when parsing PDF outlines (bookmarks). An attacker can craft a malicious PDF where bookmark A points to bookmark B, and bookmark B points back to A, causing the parser to enter an infinite loop. This effectively hangs the application, consuming all available CPU resources. SEC: Detect cyclic references when retrieving outlines Read the full report for CVE-2026-24688 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] - Vulnerability ID: CVE-2026-24688 - CWE ID: CWE-835 - Type: Infinite Loop / DoS - CVSS: 7.5 (High) - Attack Vector: Network (File Upload) - Patch Date: 2026-01-26 - pypdf < 6.6.2 - Applications using pypdf for outline/bookmark extraction - PDF processing pipelines - Web applications accepting PDF uploads - pypdf: < 6.6.2 (Fixed in: 6.6.2) - GitHub: Proof of Concept PDF file with circular outline references provided in the issue tracker. - Update pypdf to version 6.6.2 immediately. - Implement strict timeouts for all PDF processing tasks. - Run PDF processing in isolated sandboxes or containers with resource limits. - Monitor application metrics for unexpected CPU spikes. - Check your current version: pip show pypdf - Upgrade: pip install pypdf>=6.6.2 - Verify the fix by running the PoC script against the updated library. - Re-deploy the application services. - GitHub Advisory GHSA-2q4j-m29v-hq73 - pypdf Documentation