CVE Catalog

CVE-2026-38970

Low risk· EPSS 7%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

A vulnerability in pdfcpu up to version 0.11.1 causes a denial-of-service (DoS) via uncontrolled recursion in the PDF parser. The ParseObjectContext() and parseArray() functions in parse.go recursively process nested PDF objects without enforcing a maximum nesting depth.

Risk Assessment

An attacker can supply a specially crafted PDF file with deeply nested objects, leading to stack overflow and application crash, causing service unavailability for users.

Recommendation

Update pdfcpu to a version newer than 0.11.1 that includes a fix limiting recursion depth. If an update is not possible, implement input validation of PDF files before processing.

Original NVD description (English source)

pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS