Intel

AIKIDO-2026-789693

pdf-oxide is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

PYTHONpdf-oxide
0.3.61 - 0.3.72
Fixed in 0.3.73
Are you affected? Scan for Free

TL;DR

The Python bindings ship the same Rust core, whose reading-order text extraction pipeline groups vertical-writing (tategaki) spans into columns with a pairwise |a - b| <= tol X-center comparator that is not transitive. When a malformed or scanned CJK PDF produces many narrow spans whose centers step within the tolerance, the comparator reports contradictory orderings and Rust's sort_by/sort_unstable_by panics with a total-order violation that is uncatchable across the FFI boundary and aborts the host Python process. Oversized real-number literals that saturate to f64::INFINITY can also feed NaN glyph coordinates into the same sort path and reach the crash. The fix replaces the comparator with single-linkage column clustering that yields a genuine total order and clamps oversized literals to the spec limit at parse time.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you extract text from untrusted or scanned PDFs.

Background info

pdf-oxide is vulnerable to Denial of Service (DoS) in versions 0.3.61 - 0.3.72.

How to fix this

Upgrade the pdf-oxide library to the patch version.