{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-20T09:09:12Z",
  "bugzilla" : {
    "description" : "pypdf: pypdf: Denial of Service due to excessive resource consumption from crafted PDF",
    "id" : "2449585",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449585"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.", "A flaw was found in pypdf, a pure-python PDF library. An attacker can craft a malicious PDF file that, when processed, leads to excessive resource consumption, causing long runtimes and high memory usage. This can result in a Denial of Service (DoS) condition, making the application unresponsive or unstable." ],
  "package_state" : [ {
    "product_name" : "Lightspeed Core",
    "fix_state" : "Fix deferred",
    "package_name" : "lightspeed-core/rag-tool-rhel9",
    "cpe" : "cpe:/a:redhat:lightspeed_core"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-lightspeed/lightspeed-service-api-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-llama-stack-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33123\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33123\nhttps://github.com/py-pdf/pypdf/pull/3686\nhttps://github.com/py-pdf/pypdf/releases/tag/6.9.1\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp" ],
  "name" : "CVE-2026-33123",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}