HIGH 8.8

CVE-2026-9958: Critical Use-After-Free in Chrome PDFium—Patch Now

A use-after-free vulnerability in PDFium, the PDF rendering engine embedded in Google Chrome, allows attackers to corrupt heap memory when a victim opens a maliciously crafted PDF file. An attacker can trigger this flaw remotely simply by getting someone to view a rigged PDF—no special browser settings or plugins required. This can lead to information disclosure, data corruption, or arbitrary code execution depending on how an attacker chains the memory corruption with other techniques.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9958 is a use-after-free (CWE-416) in PDFium affecting Google Chrome versions prior to 148.0.7778.216. The vulnerability occurs when PDFium processes certain PDF constructs, causing the engine to reference memory that has already been freed. This memory safety violation can corrupt the heap, potentially allowing an attacker to read sensitive data from the renderer process or, in some exploitation scenarios, achieve code execution. The Chromium security team classified this as High severity. The attack vector is network-based and requires only user interaction (opening a PDF), with no privileges or special conditions needed to trigger the flaw.

Business impact

Organizations whose employees use Chrome to view PDFs—a near-universal practice—face confidentiality and integrity risks. An attacker could exfiltrate data from the renderer process (credentials, session tokens, cached content) or corrupt document data mid-transaction. For firms handling sensitive PDFs (contracts, medical records, financial documents), this vulnerability creates both direct exposure (if PDFs arrive from untrusted sources) and lateral movement risk (if a compromised PDF is used to break out of the browser sandbox and reach the wider system). The vulnerability is particularly concerning because PDF processing is often automatic and trusted, making it a favorable infection vector compared to web-based attacks.

Affected systems

The vulnerability directly affects Google Chrome prior to version 148.0.7778.216. PDFium is vendored into Chrome, so the flaw exists in all affected Chrome versions on Windows, macOS, and Linux. While the data lists 'microsoft windows', 'apple macos', and 'linux linux_kernel' as affected vendors, the vulnerability itself is in the Chrome application and its bundled PDFium library, not in the operating systems themselves. Organizations running Chrome on any of these platforms with versions below 148.0.7778.216 are exposed.

Exploitability

The vulnerability is readily exploitable because it requires only that a user open a PDF file in Chrome—a routine, low-friction action. No authentication, special browser configuration, or user privilege is needed. Attackers can distribute malicious PDFs via email, watering-hole websites, or legitimate-looking file-sharing services. The barrier to exploitation is extremely low. However, achieving reliable code execution (as opposed to information disclosure) from a use-after-free requires exploit development skill and may depend on heap layout, memory protections, and other runtime factors. As of publication, the vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation has not been publicly confirmed at this time, but organizations should assume adversaries will develop exploits given the clear attack surface and high severity rating.

Remediation

The primary remediation is to update Google Chrome to version 148.0.7778.216 or later immediately. Chrome's auto-update mechanism typically deploys patches within hours to days of release; verify that your update has completed by checking Settings > About Google Chrome. For organizations with limited auto-update capabilities, consider forcing an update cycle or using Chrome's managed policies to enforce the patch. In the interim, minimize exposure by training users to avoid opening PDFs from untrusted sources and by disabling Chrome's built-in PDF viewer if an alternative viewer (such as a sandboxed or air-gapped PDF reader) is available in your environment. However, this is a temporary measure only—patching is essential.

Patch guidance

Google released the fix in Chrome 148.0.7778.216. Verify your Chrome version under Settings > About Google Chrome; the browser will auto-update if a newer version is available. For managed deployments, use Chrome's group policy (on Windows), preferences (on macOS), or Linux distribution package managers to ensure the patch is deployed. Confirm the version update across your fleet; some users may have postponed updates, so consider sending a recall notification to staff urging immediate installation. Test the update on a representative sample of machines before full deployment if you maintain a staged rollout process, though the risk of regression from a security patch is minimal compared to remaining vulnerable.

Detection guidance

Detection of exploitation attempts is challenging because the vulnerability lies in memory corruption within the renderer process. Standard network detection (IDS/IPS) will not catch a malicious PDF traversing the network. Focus instead on: (1) Ensuring Chrome is updated and enforcing the update via managed policies; (2) Monitoring file shares, email gateways, and download folders for suspicious PDF files (unusual size, obfuscated metadata, embedded scripts) using YARA rules or heuristic file scanning; (3) Logging Chrome crash reports (which may indicate exploitation attempts) if you have telemetry enabled; (4) Monitoring for anomalous process behavior (e.g., unexpected child processes spawned from Chrome, unusual system calls) using endpoint detection and response (EDR) tools. Given the memory-safety nature of the flaw, behavioral indicators post-exploitation (data exfiltration, lateral movement) may be more detectable than the initial memory corruption itself.

Why prioritize this

This vulnerability should be treated as critical-priority for patching because it combines ease of exploitation (any user opening a PDF), network accessibility (no privilege required), high impact (potential code execution), and high severity score (8.8). The attack surface is broad—users routinely encounter PDFs—and the barrier to triggering the flaw is negligible. Unlike many browser vulnerabilities that require complex multi-step attacks, this use-after-free can be triggered by a single file interaction. Organizations should prioritize this patch above general software updates and deploy it within 24–48 hours if operationally feasible.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible attack with low complexity, no required privilege or special conditions, and high impact on confidentiality, integrity, and availability. The score is warranted because the vulnerability allows a remote attacker to corrupt heap memory, which can lead to information disclosure or, in crafted scenarios, arbitrary code execution. The primary limiting factor preventing a CRITICAL score is the requirement for user interaction (opening a PDF); however, this is a weak barrier in practice since PDF opening is routine and automatic in many workflows. The severity accurately conveys that this is a serious flaw requiring urgent remediation.

Frequently asked questions

Can this vulnerability be exploited if I simply receive a PDF in email but don't open it?

No. The flaw is triggered only when PDFium actually processes and renders the PDF file. Receiving or downloading the file poses no risk; opening it in Chrome is what matters. If your email client does not preview PDFs (or uses a separate viewer), and you never open suspicious attachments in Chrome, your risk is lower. However, accidental or inadvertent opening remains a realistic threat in many organizations.

Does this affect Chrome on mobile devices (Android/iOS)?

Google Chrome on Android uses PDFium and may be affected by this vulnerability. Chrome on iOS uses WebKit instead of Blink/PDFium, so the iOS version is likely not vulnerable. Verify the version number on your mobile devices and update Chrome through the Google Play Store or App Store accordingly. For Android devices in managed environments, ensure mobile device management (MDM) policies enforce Chrome updates.

If I use a different PDF reader instead of Chrome's built-in PDF viewer, am I safe?

If you use a third-party PDF reader (Adobe Acrobat, Foxit, Sumatra, etc.) instead of Chrome's viewer, you bypass PDFium and are not affected by this specific vulnerability. However, other PDF readers may have their own vulnerabilities. The safest approach is to patch Chrome immediately and, if feasible, use an additional security layer such as sandboxing or disabling auto-open of PDFs in email clients.

Is this vulnerability currently being exploited in the wild?

As of the publication date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting that widespread active exploitation has not been publicly reported. However, the high severity rating and ease of exploitation mean that threat actors are likely developing or preparing exploits. Organizations should not rely on absence from the KEV list as assurance; treat this as urgent and patch proactively.

This analysis is provided for informational purposes and represents a snapshot based on publicly available information as of the publication date. While we have exercised reasonable care in compiling this intelligence, SEC.co makes no warranty regarding completeness, accuracy, or fitness for a particular purpose. Threat landscapes evolve; patching guidance, detection methods, and risk assessments should be validated against current vendor advisories and your organization's security policies before implementation. Organizations are responsible for assessing risk within their own environments and conducting independent testing before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).