HIGH 8.8

CVE-2026-11304: Critical Use-After-Free in Chrome PDFium Engine

A use-after-free flaw in PDFium, the PDF rendering engine used by Google Chrome, allows attackers to corrupt heap memory when a user opens a specially crafted PDF file. An attacker could exploit this to potentially execute arbitrary code or crash the browser. The vulnerability requires user interaction (opening a malicious PDF) but is otherwise straightforward to exploit remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11304 is a use-after-free vulnerability (CWE-416) in PDFium affecting Google Chrome versions prior to 149.0.7827.53. The flaw occurs when PDFium processes a maliciously crafted PDF, causing the application to access memory that has already been freed. This heap corruption can be leveraged by an attacker to achieve code execution with the privileges of the Chrome process. The attack vector is network-based and requires minimal user interaction beyond opening a file.

Business impact

For organizations deploying Chrome across their workforce, this vulnerability presents a material risk to endpoint security. A successful exploit could allow attackers to compromise individual user sessions, steal sensitive data, or establish persistence on corporate machines. The requirement for user interaction—opening a PDF—narrows the attack surface compared to browsing vulnerabilities, but PDF documents are commonly shared in enterprise environments, making social engineering attacks plausible. Unpatched systems remain exposed until Chrome is updated to version 149.0.7827.53 or later.

Affected systems

Google Chrome on Windows, macOS, and Linux operating systems prior to version 149.0.7827.53 are vulnerable. Organizations using Chromium-based browsers (Edge, Brave, Vivaldi, etc.) built against the affected PDFium version may also be at risk; verify your vendor's patch timeline independently. The vulnerability does not directly affect the Linux kernel, Windows, or macOS themselves, but impacts the browser application on these platforms.

Exploitability

This vulnerability carries a CVSS score of 8.8 (HIGH), driven by its network accessibility, low attack complexity, lack of privilege requirements, and severe impact (confidentiality, integrity, and availability compromised). Although exploitation requires user action to open a PDF, this is a low friction requirement in typical business workflows. The vulnerability is not yet tracked as actively exploited in the wild (KEV status), but the combination of ease-of-use and impact makes it a credible near-term threat if exploit code becomes public.

Remediation

Immediately update Google Chrome to version 149.0.7827.53 or newer. Most organizations with auto-update enabled will receive the patch automatically, but verify deployment across devices, especially any machines with auto-update disabled. For Chromium derivatives, check vendor advisories for patched versions. Until patched, consider restricting user ability to open untrusted PDF files or using an isolated PDF reader as a temporary control.

Patch guidance

Deploy Chrome version 149.0.7827.53 or later across your environment. Chrome's built-in auto-update mechanism will handle most deployments, but confirm patch status via chrome://version in the browser address bar (should show version 149.0.7827.53 or higher). For enterprise deployments using group policy or MDM, update your managed Chrome version pinning policies. Test patches in a limited environment first if your organization has strict change-control processes. No special configuration changes are required post-patch.

Detection guidance

Monitor for Chrome crash dumps or browser logs showing heap corruption errors associated with PDF processing. Endpoint detection and response (EDR) tools should flag suspicious PDF file access or unexpected child process spawning from Chrome. Network-level detection is limited since the attack is client-side, but monitor for delivery of suspicious PDF files via email or web downloads. Correlate user reports of browser crashes immediately after opening unfamiliar PDFs with vulnerability timeline and patch status.

Why prioritize this

This vulnerability merits immediate patching despite its low Chromium severity rating, because the CVSS score of 8.8 reflects genuine high impact. The combination of user-facing attack vector (PDF files are ubiquitous), high confidentiality/integrity/availability impact, and widespread Chrome deployment makes this a top-tier browser security issue. Early patch deployment will prevent opportunistic exploitation once public details emerge.

Risk score, explained

The CVSS 3.1 score of 8.8 is driven by network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction needed (UI:R), and high impact across all three security dimensions (C:H/I:H/A:H). While user interaction is required, opening a PDF is a routine, low-friction action that does not substantially reduce the overall risk in environments where PDF sharing is common. The score appropriately reflects a critical browser vulnerability despite Chromium's internal severity assessment.

Frequently asked questions

Why is the CVSS score so high if Chromium only rated this as 'Low' severity?

Chromium's internal severity rating and CVSS scores measure different things. Chromium rates severity within the browser context; a 'Low' rating there may reflect limited surface area or reduced real-world impact in Chrome's sandboxing model. CVSS 3.1 measures raw technical impact: any use-after-free that achieves code execution with high confidentiality, integrity, and availability impact scores 8.8. Both metrics are valid for different purposes—use CVSS for prioritization and remediation urgency.

Do I need to worry about this if my organization doesn't use Chrome?

If you exclusively use Safari, Firefox, or Internet Explorer, your organization is not directly affected by this PDFium vulnerability. However, if you use any Chromium-based browser (Microsoft Edge, Brave, Vivaldi, Opera, etc.), verify your vendor's patch timeline. Some organizations also need to review whether developers, contractors, or BYOD users might have Chrome installed.

Can I disable PDFs in Chrome to protect myself until I patch?

Chrome does not easily allow disabling PDF viewing, and workarounds are fragile. Instead, prioritize patching to version 149.0.7827.53 immediately, use your PDF reader setting to route PDFs to an external application (reducing attack surface on the browser itself), or restrict opening untrusted PDFs via endpoint controls until fully patched.

Is this vulnerability actively being exploited in the wild right now?

As of the vulnerability's publication, it is not listed in CISA's KEV catalog, meaning there is no confirmed evidence of active exploitation. However, the vulnerability's simplicity and impact make it likely to be targeted once public details and proof-of-concept code emerge. Treat it as a pre-exploitation threat and prioritize patching within days, not weeks.

This analysis is based on public vulnerability data and official vendor advisories as of June 2026. Patch availability and version numbers should be verified against Google's official Chrome release notes before deployment. This assessment does not constitute legal or compliance advice. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. Exploit code or weaponized proof-of-concept details are not provided; interested parties should consult appropriate threat intelligence sources and vendor advisories for real-time threat activity data. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).