HIGH 8.8

CVE-2026-9957: Chrome PDF Use-After-Free RCE Vulnerability – Patch Now

Google Chrome's PDF renderer contains a use-after-free vulnerability that allows attackers to run malicious code within Chrome's sandboxed PDF handling process. An attacker can exploit this by sending a specially crafted PDF file to a victim. If the victim opens the PDF in Chrome, the vulnerability triggers, potentially allowing the attacker to escape the sandbox and execute arbitrary code on the system. The vulnerability affects Chrome versions prior to 148.0.7778.216 and impacts users on Windows, macOS, and Linux.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9957 is a use-after-free memory vulnerability (CWE-416) in Chrome's PDF processing component. The defect occurs when the PDF renderer attempts to access memory that has already been freed, allowing controlled memory manipulation. An attacker crafts a malicious PDF that triggers this condition when parsed. Because the vulnerability exists within Chrome's sandboxed PDF process, initial exploitation is confined to that sandbox context; however, the memory corruption may enable sandbox escape or code execution within the process boundary. The issue was resolved in Chrome version 148.0.7778.216. Chromium's security team rated this as High severity due to the combination of ease of trigger (user interaction with a file) and the potential for full system compromise if sandbox escape occurs.

Business impact

Any organization where employees or users open PDFs in Chrome faces potential compromise. A successful exploitation could allow an attacker to execute code on an employee's workstation, leading to credential theft, lateral movement within the network, or data exfiltration. Remote workers and contractors using Chrome as their primary browser are particularly exposed. The attack requires no special access or bypass of authentication—only that a user open an attacker-controlled or attacker-modified PDF, making phishing campaigns a likely delivery vector.

Affected systems

This vulnerability affects Google Chrome, Microsoft Windows, Apple macOS, and Linux systems running Chrome prior to version 148.0.7778.216. Any Chrome installation on these platforms that has not been updated is vulnerable. Organizations should inventory Chrome deployments, including managed instances, plugin-based installations, and Chrome-based applications.

Exploitability

The vulnerability is readily exploitable in practice. An attacker needs only to craft a malicious PDF file and deliver it to a user—via email, web compromise, USB, or social engineering. The user interaction requirement (opening the PDF) is low friction. No special user privileges, network position, or local access are required. The CVSS score of 8.8 and High severity reflect this accessibility. Given the ubiquity of PDF files and Chrome's popularity, this attack scenario is highly probable in real-world threat environments.

Remediation

Update Google Chrome to version 148.0.7778.216 or later. Most modern Chrome installations auto-update, but verify completion by checking the version in Chrome Settings > About Chrome. For managed environments, deploy the update through standard patch management channels and confirm rollout across all assets. Consider restricting PDF opening in Chrome via group policy or endpoint controls while patches are deployed, though this may impact workflow.

Patch guidance

Google Chrome users should verify they are running version 148.0.7778.216 or later by navigating to Settings > About Chrome, which will display the current version and automatically check for updates. Enterprise administrators managing Chrome deployments should push this update through their endpoint management systems to ensure universal coverage. Auto-update is enabled by default for most users, but it is wise to verify the version has been installed within 48 hours of the patch release. No interim workarounds are available; patching is the sole remediation path.

Detection guidance

Monitor for suspicious PDF files being opened in Chrome, particularly those received via email or downloaded from untrusted sources. Endpoint detection and response (EDR) tools should flag instances of Chrome attempting unusual system calls or accessing unexpected memory regions after PDF processing. Network monitoring should watch for indicators of post-exploitation activity (credential dumping, lateral movement) following PDF access. Browser security logs and crash reports may contain evidence of exploitation attempts. Conduct user awareness training to reduce the likelihood of users opening unexpected PDFs, especially from unknown senders.

Why prioritize this

This vulnerability warrants immediate patching (within 48–72 hours). The combination of high CVSS score (8.8), ease of exploitation, low user interaction friction, and broad platform coverage makes it attractive to opportunistic attackers. The lack of KEV designation does not diminish risk; active exploitation is likely given the simplicity of the attack. Early patching prevents inclusion in attacker toolkits and reduces the window for mass compromise.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the following factors: Attack Vector (Network) and Attack Complexity (Low) indicate easy remote exploitation; no Privileges Required and low User Interaction (a user must open a PDF) mean most users are at risk without special conditions; the scope is Unchanged but all three impact metrics (Confidentiality, Integrity, Availability) are High, meaning successful exploitation leads to complete system compromise. This score is appropriate and reflects a dangerous vulnerability requiring urgent action.

Frequently asked questions

What versions of Chrome are affected?

All versions of Google Chrome prior to 148.0.7778.216 are vulnerable. Check your version by going to Chrome Settings > About Chrome to see if you need to update.

Can the sandboxed PDF process be exploited to fully compromise my system?

The vulnerability exists within the sandboxed PDF renderer, which initially contains the attack. However, use-after-free vulnerabilities can enable sandbox escape techniques, so full system compromise is possible depending on other mitigations and the attacker's sophistication.

Is there a workaround if I cannot update Chrome immediately?

There is no practical workaround short of avoiding PDF files or using an alternative PDF reader. Auto-update should deploy the patch soon, but if your organization uses manual updates, prioritize this update to the patch queue immediately.

How was this vulnerability discovered and reported?

The vulnerability was discovered by external security researchers and reported to Google through responsible disclosure processes. Google's Chromium team assigned it High severity and included a fix in the Chrome 148.0.7778.216 release.

This analysis is based on official vulnerability data from Google and CVE sources as of the publication date. Specific patch versions and deployment timelines should be verified against your vendor's official security advisories and your organization's patch management policies. This document is provided for informational and educational purposes to support security decision-making and does not constitute legal advice. Organizations should validate all findings independently and conduct thorough testing before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).