CVE-2026-10945: Chrome PDF Use-After-Free RCE Vulnerability – Patch Available
A use-after-free vulnerability exists in Google Chrome's PDF handling that allows attackers to execute code within Chrome's sandbox if they can trick a user into performing specific UI interactions with a malicious PDF file. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10945 is a use-after-free vulnerability (CWE-416) in Chrome's PDF rendering engine. The flaw arises from improper memory management where a freed object is accessed after deallocation. An attacker crafts a malicious PDF that, when opened and manipulated through specific user gestures (clicking, scrolling, or similar interactions), triggers code execution within the Chrome sandbox. The vulnerability requires user interaction but carries no prerequisites for network access or authentication. The attack vector is network-based, with low attack complexity and no privilege escalation required.
Business impact
Organizations reliant on Chrome for business operations face operational disruption and data theft risks. Although the attack is sandboxed, successful exploitation could lead to credential theft, browser data exfiltration, or lateral movement into corporate networks if combined with other vulnerabilities. The requirement for user interaction limits mass exploitation but makes targeted campaigns feasible. Widespread browser usage in enterprise environments amplifies the potential impact.
Affected systems
Google Chrome versions prior to 149.0.7827.53 on Windows, macOS, and Linux are affected. The vulnerability applies to any user who opens untrusted PDF files with Chrome, whether through direct opening, downloads, or embedded previews in web applications. Systems with the PDF plugin or viewer enabled are at heightened risk.
Exploitability
This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active exploitation in the wild at the time of initial analysis. However, the low attack complexity and reliance only on user interaction make it attractive for targeted spear-phishing campaigns. Creating a weaponized malicious PDF is straightforward once the memory corruption trigger is understood. Organizations should assume exploitation could accelerate once public proof-of-concept code emerges.
Remediation
Users and administrators must update Chrome to version 149.0.7827.53 or later. This update patches the memory management flaw in the PDF handler. For managed environments, deploy patches through Chrome's enterprise update mechanisms or native OS package managers. Organizations may also mitigate risk by disabling the embedded PDF viewer and routing PDF rendering to external applications until patching is complete, though this reduces functionality.
Patch guidance
Chrome will auto-update to version 149.0.7827.53 or later on supported systems. Enterprise customers using Chrome Enterprise should verify availability through the admin console and deploy via managed update channels. Users on Windows can check chrome://settings/help to confirm the installed version. On macOS, verify via Chrome menu > About Google Chrome. Linux users should confirm patch availability through their distribution's package repository. Verify the patch is installed before resuming normal PDF handling workflows.
Detection guidance
Monitor for Chrome updates to version 149.0.7827.53 or later in your environment using endpoint detection and response (EDR) tools, SIEM systems, or Chrome Enterprise reporting. Network indicators are minimal since the attack occurs client-side; focus instead on behavioral signals such as unexpected Chrome sandbox escapes or post-exploitation indicators. Review browser security logs for PDF file interactions from untrusted sources. Organizations using web filtering should flag suspicious PDF sources and alert users to malicious file patterns.
Why prioritize this
This vulnerability scores 8.8 (HIGH severity) due to high impact across confidentiality, integrity, and availability, combined with low attack complexity and no authentication requirements. Although sandboxed, code execution is the worst-case outcome. The lack of KEV status and public exploits currently available provides a brief window for patching before active attacks emerge. Wide exposure (billions of Chrome users) and reliance on user interaction make targeted campaigns probable in the short term.
Risk score, explained
CVSS 3.1 score of 8.8 reflects: Attack Vector (Network) – the PDF can be delivered remotely; Attack Complexity (Low) – crafting a malicious PDF is straightforward; Privileges Required (None) – no account access needed; User Interaction (Required) – user must open the PDF and interact with it; Scope (Unchanged) – impact is limited to the Chrome sandbox; Confidentiality/Integrity/Availability (High) – code execution can leak data, modify state, or crash the browser. The HIGH severity designation aligns with Chromium's internal security rating.
Frequently asked questions
Does the vulnerability affect Chrome on mobile devices?
The CVE description specifies Windows, macOS, and Linux. Chrome on Android and iOS may have different PDF handling implementations. Verify the status of mobile Chrome versions through Google's security advisories, as mobile platforms sometimes receive patches on different schedules.
Can an attacker exploit this without user interaction?
No. The vulnerability explicitly requires the user to engage in specific UI gestures such as clicking, scrolling, or form interaction within the PDF viewer. Merely opening or viewing a malicious PDF is insufficient to trigger exploitation.
Is the sandbox guaranteed to prevent all damage?
Chrome's sandbox significantly limits the attacker's access to the host system and other browser processes, but it is not a perfect boundary. A determined adversary could chain this vulnerability with other sandbox escape techniques. The sandbox reduces risk but does not eliminate it entirely.
What should users do if they cannot update immediately?
Disable or remove the Chrome PDF plugin by navigating to chrome://plugins, route PDF files to alternative viewers (Adobe Reader, system PDF apps), and avoid opening PDFs from untrusted or unexpected sources until patching is possible. Apply the patch as soon as your system allows.
This analysis is provided for informational and defensive purposes only. SEC.co makes no warranty regarding the accuracy or completeness of this information. Vulnerability severity, exploitability, and attack vectors may evolve; organizations must verify all claims against official vendor advisories and their own security testing. This document does not constitute legal or professional security advice. Organizations should conduct their own risk assessments in alignment with their policies, threat models, and compliance requirements. Patch guidance should be validated against the Google Chrome official security advisories before deployment in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance