Intel

AIKIDO-2026-597961

lopdf is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

75

High Risk

This Affects:

RUSTlopdf
0.0.1 - 0.41.0
Fixed in 0.42.0
Are you affected? Scan for Free

TL;DR

Affected versions of lopdf are vulnerable to a denial-of-service (DoS) issue due to unbounded recursion when parsing deeply nested PDF arrays and dictionaries. A specially crafted PDF can trigger a stack overflow and terminate the process, allowing attackers to crash applications that parse untrusted PDF files.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

lopdf is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 0.41.0.

How to fix this

Upgrade the lopdf library to the patch version.