CVE-2026-38970
Low risk· EPSS 7%Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A vulnerability in pdfcpu up to version 0.11.1 causes a denial-of-service (DoS) via uncontrolled recursion in the PDF parser. The ParseObjectContext() and parseArray() functions in parse.go recursively process nested PDF objects without enforcing a maximum nesting depth.
Risk Assessment
An attacker can supply a specially crafted PDF file with deeply nested objects, leading to stack overflow and application crash, causing service unavailability for users.
Recommendation
Update pdfcpu to a version newer than 0.11.1 that includes a fix limiting recursion depth. If an update is not possible, implement input validation of PDF files before processing.
Original NVD description (English source)
pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.

