HIGH 8.8

CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

A use-after-free memory flaw in PDFium, the PDF rendering engine embedded in Google Chrome, allows attackers to corrupt heap memory by tricking users into opening a specially crafted PDF file. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction to trigger. An attacker exploiting this could achieve code execution with the same privileges as the Chrome process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10002 is a use-after-free vulnerability (CWE-416) in PDFium within Google Chrome prior to version 148.0.7778.216. The flaw permits heap corruption when a malicious PDF is processed by the browser's PDF handler. The attack vector is network-based with low complexity; the only user-interaction requirement is opening or viewing a crafted PDF. The vulnerability carries high severity across confidentiality, integrity, and availability dimensions, as successful exploitation could lead to arbitrary code execution within the Chrome sandbox context.

Business impact

Compromise of user endpoints running vulnerable Chrome instances. An attacker could gain the ability to steal sensitive data, install malware, or establish persistence on victim machines. In enterprise environments where Chrome is the standard browser, this creates a broad attack surface. The requirement for user interaction (opening a PDF) makes targeted phishing campaigns the likely delivery vector, increasing risk for organizations with high-volume external communications.

Affected systems

Google Chrome prior to version 148.0.7778.216 on Windows, macOS, and Linux is vulnerable. The underlying issue resides in PDFium, Chrome's integrated PDF rendering library, making all Chrome deployments on these operating systems a potential attack surface. Other products that may bundle PDFium should be evaluated separately for inclusion and patch status.

Exploitability

The vulnerability requires user interaction to trigger (opening or viewing a malicious PDF), which moderately reduces the attack surface compared to network worms. However, the barrier to exploitation is low: attackers need only craft a malicious PDF and convince a user to open it—a common social engineering tactic. No known public exploit code is documented as of this analysis, but the high CVSS score and memory corruption nature suggest the flaw is likely exploitable once technically analyzed by threat actors.

Remediation

Organizations must upgrade Google Chrome to version 148.0.7778.216 or later. Chrome's auto-update mechanism typically handles this transparently for most users, but administrators should verify deployment in managed environments. Additionally, consider restricting PDF opening to trusted sources and enforcing browser-based PDF viewers where feasible rather than external applications.

Patch guidance

Verify that Google Chrome instances across your environment are running version 148.0.7778.216 or higher. For managed deployments, consult your organization's Chrome management policies (via Google Admin Console or equivalent tools) to ensure auto-updates are enabled or to manually push the patch. Validate the patch by checking chrome://version in the address bar and confirming the version number matches the fixed release. For offline or air-gapped systems, obtain the installer from Google's official release notes and deploy via your software distribution mechanism.

Detection guidance

Monitor for PDF files with suspicious characteristics (unusual file size, embedded JavaScript, or obfuscated content) traversing email gateways and file-sharing systems. Review browser crash logs and memory dumps for heap corruption patterns or unexpected termination of Chrome processes following PDF access. Endpoint detection and response (EDR) tools should flag attempts to exploit memory corruption via PDF engines. Network-based indicators include outbound connections from Chrome processes to attacker-controlled infrastructure following PDF rendering events. Cross-reference browser history for visits to untrusted or compromised sites known to distribute malicious PDFs.

Why prioritize this

Despite CVE-2026-10002 not appearing on the KEV catalog, its high CVSS score (8.8), memory corruption nature, low attack complexity, and the ubiquity of Chrome in both consumer and enterprise environments warrant immediate prioritization. The use-after-free class of vulnerabilities is well-understood and frequently exploitable. Organizations should treat this as a critical patch with a 72-hour deployment target for user-facing systems, particularly those with frequent PDF handling.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network accessibility, low attack complexity, user interaction requirement, and broad impact (confidentiality, integrity, and availability all rated high). The score appropriately captures the severity but does not discount for the user-interaction prerequisite; real-world risk in your environment depends heavily on user behavior, email gateway controls, and whether Chrome is the primary browser in use.

Frequently asked questions

Does this vulnerability affect Chrome on mobile devices?

The source data lists Windows, macOS, and Linux. Confirm patch status for Chrome on iOS and Android through Google's mobile security bulletins, as mobile versions may use a different PDFium version or sandboxing model.

What if we restrict PDF opening in Chrome and force external viewers?

While using external PDF readers could reduce attack surface within Chrome itself, those external applications may have their own vulnerabilities. The optimal approach is to patch Chrome and educate users to avoid opening PDFs from untrusted sources, then monitor for anomalous behavior.

Is this vulnerability being actively exploited in the wild?

As of the published date (May 2026), no active exploitation is confirmed. However, the simplicity of the attack vector (malicious PDF) and high severity suggest threat actors will develop exploits rapidly. Do not delay patching pending evidence of in-the-wild activity.

Do other Chromium-based browsers (Edge, Brave, Opera) need patching?

Browsers based on Chromium (such as Microsoft Edge) that bundle PDFium are likely affected and will require their own security updates. Check vendor advisories for each browser; do not assume a Chrome patch automatically secures all Chromium derivatives.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Patch version numbers and CVSS scores are derived from official vendor advisories and NVD records; verify against authoritative sources before deployment. Organizations should conduct their own risk assessment based on their environment, user population, and threat landscape. SEC.co does not provide legal advice; consult your legal and compliance teams regarding patch timelines and mandatory disclosure obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).