{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-26T23:58:42Z",
  "bugzilla" : {
    "description" : "pypdf: pypdf: Denial of Service via crafted PDF in non-strict mode",
    "id" : "2452062",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452062"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-606",
  "details" : [ "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.", "A flaw was found in pypdf. An attacker can craft a malicious PDF file that, when processed by pypdf in non-strict mode, triggers an infinite loop. This vulnerability can lead to a Denial of Service (DoS) by consuming excessive system resources, making the application unresponsive." ],
  "package_state" : [ {
    "product_name" : "Lightspeed Core",
    "fix_state" : "Affected",
    "package_name" : "lightspeed-core/rag-tool-rhel9",
    "cpe" : "cpe:/a:redhat:lightspeed_core"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Affected",
    "package_name" : "openshift-lightspeed/lightspeed-service-api-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Affected",
    "package_name" : "openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-llama-stack-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33699\nhttps://github.com/py-pdf/pypdf/pull/3693\nhttps://github.com/py-pdf/pypdf/releases/tag/6.9.2\nhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3" ],
  "name" : "CVE-2026-33699",
  "mitigation" : {
    "value" : "To mitigate this issue, avoid processing untrusted PDF files with pypdf, particularly when operating in non-strict mode. Ensuring that applications using pypdf are configured to operate in strict mode, if supported, can prevent exploitation.",
    "lang" : "en:us"
  },
  "csaw" : false
}