CVE-2026-11307: Use-After-Free in PDFium / Google Chrome—Exploitation Risk & Patching Guide
A use-after-free memory bug in PDFium—the PDF rendering library bundled with Google Chrome—allows attackers to run arbitrary code within Chrome's sandbox by sending a malicious PDF file. The vulnerability requires user interaction (opening the PDF) but can fully compromise a victim's browser process, stealing data or installing malware. While Google rated this as low severity internally, the CVSS score of 8.8 reflects the serious consequences: an attacker gains code execution with high impact to confidentiality, integrity, and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11307 is a use-after-free vulnerability (CWE-416) in PDFium, the open-source PDF rendering engine used by Chromium-based browsers including Google Chrome. The flaw permits a remote attacker to execute arbitrary code within the Chrome sandbox by crafting a specially designed PDF file and inducing a user to open it. The vulnerability operates with network accessibility, requires no special privileges, and demands only routine user interaction. Although the attacker's code executes in the sandbox—limiting lateral movement to the host system—the sandbox itself can be compromised, yielding read, write, and execution capabilities within the browsing context.
Business impact
Organizations relying on Chrome for secure document handling face elevated risk. An attacker can harvest credentials, cookies, and cached secrets stored in the browser profile; inject malware into enterprise workflows; or pivot toward internal systems if the browser runs with elevated privileges or on a networked domain. For users handling sensitive PDFs (contracts, financial statements, HR documents), a single malicious file can compromise confidentiality. Supply-chain scenarios—where PDFs are auto-opened by scripts or email filters—amplify exposure. The lack of current exploit in the wild (KEV status: not listed) does not guarantee safety; motivated threat actors often target memory corruption bugs post-disclosure.
Affected systems
Google Chrome versions prior to 149.0.7827.53 are vulnerable on Windows, macOS, and Linux. Because PDFium is also embedded in other Chromium-derived browsers and applications, similar exposure may exist in Edge, Brave, Opera, and any third-party software shipping PDFium. The vulnerability description explicitly mentions Apple macOS, Linux kernel, and Microsoft Windows as affected platforms, indicating broad cross-OS impact. Verify your organization's inventory of Chromium-based applications and embedded PDF renderers.
Exploitability
Exploitation requires delivery of a crafted PDF and user interaction to open it. No authentication is needed, network access is direct, and the attack surface is wide—any application opening a PDF becomes a potential entry point. Social engineering (phishing with malicious PDFs) or compromised websites hosting malicious PDFs are plausible vectors. The sandboxing mechanism mitigates full system compromise but does not prevent theft of browser state or advanced privilege-escalation chains. Given the relative ease of PDF distribution and the commonality of PDF opening, this vulnerability poses a practical threat in real-world campaigns, though no known active exploitation has been cataloged in CISA's KEV list as of publication.
Remediation
Immediately update Google Chrome to version 149.0.7827.53 or later. Verify that auto-update is enabled; Chrome typically updates silently but can require a restart. For enterprises, deploy via MDM or Group Policy to enforce rapid patching. Review browser usage policies: consider restricting PDF preview plugins if not essential, disabling JavaScript in PDFs, or using dedicated PDF readers outside the browser. Educate users not to open PDFs from untrusted sources. Check Chromium-derived browsers and third-party applications for equivalent patches, as they may lag behind the upstream release.
Patch guidance
Apply Google Chrome 149.0.7827.53 or any later stable release. Users can verify their installed version by navigating to chrome://version/ or checking Settings > About Chrome, which auto-checks for updates. Enterprise administrators should confirm rollout via reporting tools and monitor for any crashes or compatibility issues during the roll-out window. No backward compatibility issues are reported for this patch. If auto-update is disabled, manually trigger the update or re-enable automatic updates immediately. Third-party Chromium distributions (Edge, Brave, etc.) will need their own corresponding patches; do not assume Chrome updates alone solve the issue across your entire application stack.
Detection guidance
Monitor for unexpected browser crashes or segmentation faults when users open PDFs, particularly those from external or untrusted sources. Endpoint Detection and Response (EDR) tools can flag unusual child-process spawning or memory access patterns within chrome.exe or chromium processes following PDF rendering. Look for anomalous network connections initiated by the browser after PDF handling. In network telemetry, identify exfiltration of browser cache or cookies. Behavioral indicators include rapid browser restarts, unexpected system calls from rendering threads, or sandbox escape attempts logged in Chrome's internal crash reports. Consider deploying URL filtering to block known malicious PDF distribution sites.
Why prioritize this
Although Google assigned low internal severity, the CVSS 8.8 score (high) reflects genuine risk: arbitrary code execution with full impact to confidentiality, integrity, and availability in the browser sandbox is a serious outcome. The low friction for exploitation (user opens a PDF), broad platform coverage, and sensitive data typically stored in browser profiles elevate real-world priority. The absence of a KEV listing does not imply the vulnerability is low-priority; it simply means there is no confirmed active exploitation to date. Organizations handling financial, legal, or healthcare documents should prioritize patching within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) is driven by: Network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and user interaction as the only friction (UI:R). The impact is severe across all three pillars—Confidentiality, Integrity, and Availability are all High (C:H/I:H/A:H)—because code execution in the sandbox permits data theft, malware injection, and denial of service. Scope is unchanged (S:U), meaning the attacker's impact is limited to the affected component (the browser) and does not directly compromise the underlying OS. This score correctly reflects a serious vulnerability that demands prompt action, despite Google's internal 'Low' label.
Frequently asked questions
Why does Google say this is 'Low severity' but the CVSS score is 8.8 (HIGH)?
Google's internal severity ratings and CVSS scoring measure different things. Google may weight sandbox containment heavily in its internal assessment, viewing code execution within a sandbox as having lower real-world impact than unsandboxed execution. CVSS, by contrast, is a standardized metric that rates the intrinsic severity of code execution regardless of containment mechanisms. A sandbox is a security boundary that can be breached or bypassed. The CVSS score reflects the theoretical impact if an attacker successfully exploits the flaw; Google's lower rating reflects their belief in sandbox effectiveness. For prioritization, use CVSS but also consider your own risk tolerance and threat model.
Do I need to patch if I don't open PDFs in Chrome?
If you exclusively use native PDF readers (Adobe Reader, macOS Preview, etc.) and never open PDFs in Chrome or Chromium browsers, your direct exposure is minimal. However, many users cannot reliably avoid Chrome PDF rendering—it happens automatically in some workflows, and users may not realize which application is handling a PDF. Additionally, if your organization uses Slack, Teams, Gmail, or other web applications viewed in Chrome, those platforms may render PDFs inline, circumventing your intent. Patching Chrome is simpler and less risky than relying on user behavior.
Is this vulnerability in the public exploit-as-a-service (EaaS) market or being actively exploited?
As of the last update, this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed public exploitation or weaponization. However, use-after-free bugs in memory renderers are attractive to sophisticated threat actors because they are relatively stealthy and can lead to sandbox escape with additional chaining. Do not assume the absence of a KEV listing means the vulnerability is safe; it means exploitation has not been confirmed at scale yet. Patch promptly.
How does sandboxing affect my risk from this vulnerability?
The Chrome sandbox isolates the PDF rendering process from system resources and other browser processes, making it harder (but not impossible) for an attacker to steal data from the rest of your system. However, the sandbox does not protect data within the browser itself—cookies, cached credentials, local storage, autofilled forms, and browsing history are all accessible to malicious code running in the rendering process. An attacker can exfiltrate this data over the network or use it to pivot to other services. Advanced attackers can combine this flaw with additional sandbox-escape exploits, but that requires more effort. Sandboxing reduces (not eliminates) risk.
This analysis is based on publicly available vulnerability data as of the publication date and is provided for informational purposes. Patch version numbers and affected product information are derived from official vendor advisories. This explainer does not constitute legal, compliance, or insurance advice. Organizations should conduct their own risk assessment, verify patch applicability in their environment, and test patches in non-production systems before deployment. SEC.co makes no warranty as to the completeness or accuracy of this information and recommends consulting official vendor documentation and security advisories for the most current guidance. Exploit code, proof-of-concept tools, and attack playbooks are not provided herein. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability
- CVE-2026-10882HIGHCritical Chrome Use-After-Free RCE Vulnerability – Exploit Details & Patch Guidance