CVE-2026-11305: PDFium Use-After-Free in Chrome
A use-after-free flaw in PDFium, the PDF rendering engine embedded in Google Chrome, allows attackers to execute arbitrary code within Chrome's sandbox by tricking users into opening a malicious PDF file. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux. While Chromium assigned this a Low security severity rating, the CVSS score of 8.8 reflects the practical risk: a remote attacker needs only a crafted PDF and user interaction to achieve code execution with high impact on confidentiality, integrity, and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11305 is a use-after-free vulnerability (CWE-416) in PDFium, Google's open-source PDF viewer library. The flaw occurs when PDFium processes specially crafted PDF files, causing it to reference memory that has already been freed. An attacker can construct a malicious PDF that triggers this memory access pattern, leading to memory corruption. Although execution is confined to Chrome's sandbox—limiting direct system compromise—the attacker can still read sensitive data from the browser process, modify rendered content, or cause denial of service. Exploitation requires user interaction (opening a PDF), but given the ubiquity of PDF sharing, this barrier is modest.
Business impact
For organizations, this vulnerability creates risk across several dimensions. Employees who receive phishing emails with malicious PDF attachments could have their browser sessions compromised, potentially exposing credentials, session tokens, or sensitive documents open in other tabs. In industries handling confidential information—legal, financial, healthcare—a successful exploit could lead to data exfiltration. The vulnerability also affects macOS and Linux users proportionally to their Chrome adoption. From an incident response perspective, sandboxed code execution can still be leveraged as a stepping stone to escape the sandbox via secondary vulnerabilities, though that requires chaining. The relatively high CVSS score (8.8) underscores that this is not a low-risk issue despite Chromium's internal severity classification.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are affected on all major platforms: Windows, macOS, and Linux. The vulnerability is in PDFium, which is bundled with Chrome and used as the default PDF handler. Users running Chrome 149.0.7827.53 or later are protected. Organizations should verify their Chrome version distribution; unpatched instances remain at risk. Note that PDFium is also embedded in other Chromium-based browsers, though this CVE explicitly references Chrome. Enterprise deployments should check whether Chromium derivatives in their environment have received corresponding updates.
Exploitability
Exploitation requires a user to open a malicious PDF in Chrome. The attacker has no privilege requirement and can deliver the PDF via email, web download, or file sharing services. The attack surface is high because PDF files are routinely shared in business communication and often opened without scrutiny. No authentication or elevated privileges are needed. However, the attack does require user interaction (opening the file), which provides a minor friction point. The sandbox containment means the attacker cannot immediately access the operating system, though they gain significant access to browser memory and the rendering process. Overall, this is a practical, real-world threat given PDF ubiquity and user behavior.
Remediation
The primary remediation is to update Google Chrome to version 149.0.7827.53 or later. Chrome auto-updates by default, but users should verify their version via Settings > About Chrome and trigger an update if necessary. For organizations deploying Chrome via managed policies, update the Chrome version in your deployment package or let managed devices auto-update. As a temporary mitigation pending patches, organizations can disable PDF preview in Chrome or route PDFs through an external viewer, though this is cumbersome and not recommended as a long-term solution. User education about not opening PDF attachments from untrusted sources remains important but is not a substitute for patching.
Patch guidance
Update Chrome to version 149.0.7827.53 or later. Chrome's auto-update mechanism will deploy this version automatically for most users within 24–48 hours, though timing varies by platform and user restart habits. For IT administrators: verify successful rollout via Chrome Management Console; confirm version numbers across your deployed fleet. Test this patch in a non-production environment first if your organization has custom extensions or PDF processing workflows, though most users will experience no compatibility issues. Organizations using Chromium-based derivatives (Edge, Brave, etc.) should check those vendors' security advisories separately, as they may follow different patching schedules.
Detection guidance
Detecting exploitation is challenging because successful attacks occur within the sandboxed process and leave minimal host-level forensic traces. Monitor for: (1) Unexpected Chrome process crashes or high CPU/memory usage correlating with PDF opens, which may indicate exploitation attempts; (2) Unusual network traffic from Chrome processes, which could indicate data exfiltration post-compromise; (3) User reports of browser hangs or crashes after opening PDFs from unknown sources. Log Chrome's version string across your fleet to identify unpatched instances. Consider enabling Chrome security event logging in managed environments. Proactive detection of the malicious PDF itself is difficult without a known sample; reputation-based filtering of email attachments and web downloads provides baseline protection but is not foolproof.
Why prioritize this
Despite Chromium's internal Low severity classification, the CVSS 8.8 score reflects real-world risk. Prioritize patching because: (1) exploitation is trivial (crafted PDF + user click); (2) impact is high (code execution with data access); (3) affected population is massive (Chrome users globally); (4) the attack vector is common and difficult to block with user behavior alone. Organizations with high email volume or those handling sensitive documents should patch immediately. This is not an emergency zero-day (patch is available), but it is a legitimate priority for IT teams in the next maintenance cycle.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH severity) reflects: Network-based attack vector (AV:N) with low complexity (AC:L), no privilege requirement (PR:N), and user interaction required (UI:R). The impact assessment—high for confidentiality (C:H), integrity (I:H), and availability (A:H)—assumes an attacker within the sandbox can read sensitive data, modify page content, or crash the process. The score does not heavily discount sandbox containment, reflecting the view that sandbox escapes are plausible with secondary exploits, and the data access within the browser alone is serious. In SEC.co's risk model, this aligns with HIGH priority given the attack surface and user interaction is a weak barrier in practice.
Frequently asked questions
Why does Chromium call this Low severity when the CVSS is 8.8 HIGH?
Chromium's internal severity classification may reflect the sandbox containment and the requirement for user interaction—both factors that reduce immediate system-level risk. CVSS 8.8 captures the realistic impact (code execution, data access) without heavy discounting for sandbox scope. Organizations should trust CVSS for prioritization; Chromium's rating is an internal development metric, not a measure of business risk.
Are PDFs from reputable sources (corporate email, known vendors) safe to open?
While reputable sources are less likely to be compromised, a sophisticated attacker could target a company's email system or compromise a vendor's distribution channel. No source is 100% safe. Patching is the only reliable protection; opening PDFs from unknown or unexpected sources should remain discouraged, but do not assume trust eliminates risk.
Does this affect PDF readers other than Chrome (Adobe, etc.)?
This CVE is specific to PDFium in Google Chrome. Adobe Reader, Preview (macOS), and other PDF viewers use different rendering engines and are not affected by this flaw. However, users should keep all PDF readers patched, as they have their own vulnerability landscapes.
Can an attacker exploit this without the user actually opening the PDF?
No, exploitation requires the user to open the malicious PDF in Chrome. If the file sits in a download folder unopened, there is no risk from this particular flaw. However, some email clients or file explorers may preview PDFs automatically, which could trigger the vulnerability.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. Patch versions, affected software versions, and remediation guidance should be verified against the official vendor advisories and your environment's configuration before deployment. Use-after-free vulnerabilities can be subtle; organizations should test patches in non-production environments. This document does not constitute legal, compliance, or procurement advice. Security decisions should align with your organization's risk tolerance and incident response procedures. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for damages arising from its use or misuse. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance