CVE-2026-9960: PDFium Integer Overflow in Google Chrome – Sandbox Escape Vulnerability
A flaw in PDFium, the PDF rendering library used by Google Chrome, allows an attacker who has already compromised Chrome's renderer process to break out of the sandbox and run arbitrary code with elevated privileges by supplying a specially crafted font file. This represents a significant post-compromise risk for users who may have already been exposed to initial malware or browser exploits.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-472
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Integer overflow in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted font file. (Chromium security severity: High)
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9960 is an integer overflow vulnerability in PDFium affecting Google Chrome versions prior to 148.0.7778.216. The flaw resides in font file parsing logic within the PDF rendering engine. When PDFium processes a malformed font embedded in a PDF, inadequate bounds checking on integer calculations can lead to a buffer overflow or memory corruption. An attacker with code execution in the renderer sandbox can exploit this to escape the sandbox and achieve full arbitrary code execution in the Chrome process context. The vulnerability is classified as CWE-472 (Improper Generation of Weak Initialization Vector (IV)—though the practical manifestation is a classic integer-overflow-to-memory-corruption chain). No public exploit or KEV listing currently exists, but the attack surface is real for any user viewing an attacker-crafted PDF in a compromised browser.
Business impact
This vulnerability primarily affects organizations and users on Windows, macOS, and Linux who rely on Chrome for document handling. While the attacker must first compromise the renderer process, successful exploitation effectively neutralizes Chrome's sandbox security model—a critical defense layer. For enterprises using Chrome as a standard browser, this could enable lateral movement and privilege escalation from a browsing context to system-level access. The risk is elevated in scenarios where users are already targeted by drive-by downloads or credential-theft malware.
Affected systems
Google Chrome versions prior to 148.0.7778.216 are affected across Windows, macOS, and Linux platforms. PDFium is bundled into Chromium-based browsers; organizations using Chrome, Chromium, Edge (Chromium-based), and other Chromium derivatives should evaluate their exposure. The vulnerability does not affect standalone PDFium deployments unless they implement the same vulnerable code path, but the primary concern is Chrome users.
Exploitability
The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.5) reflects a network-accessible attack that requires high complexity and user interaction (opening a PDF). Critically, this is a post-compromise risk: the attacker must already have code execution in the Chrome renderer. No public exploit is known, and the vulnerability is not tracked on the CISA KEV list. However, if combined with a separate renderer-process vulnerability (e.g., a use-after-free or type confusion flaw), the two-stage attack becomes a realistic threat chain. Practical exploitability is moderate to low for isolated users but higher in targeted attacks against high-value targets.
Remediation
Update Google Chrome to version 148.0.7778.216 or later immediately. Verify the update has been applied via Chrome Menu > Settings > About Chrome, which will auto-check for updates and display the current version. For enterprise deployments, use Chrome Enterprise policy to enforce auto-updates and restrict end-user version downgrading. Organizations unable to patch immediately should consider disabling PDF preview in Chrome or restricting access to untrusted PDF sources until patching is complete.
Patch guidance
Google Chrome 148.0.7778.216 and subsequent releases contain the fix. Users on Windows, macOS, and Linux should receive automatic updates; however, manual verification is recommended for security-critical environments. Check chrome://version to confirm build number. Enterprise administrators should validate deployment through Google's Admin console and monitor update completion metrics. No rollback is necessary unless the patched version introduces regression; in that case, verify against Chrome release notes before reverting.
Detection guidance
Monitor Chrome process crashes and sandbox violations in the browser's internal crash reports (chrome://crashes). Look for PDF-related renderer process terminations, particularly when processing PDFs from untrusted sources. On the endpoint, monitor for unusual child processes spawned from the Chrome process after PDF handling, which may indicate sandbox escape. Network detection is limited since the attack is entirely in-process; however, behavioral indicators (unusual system calls, privilege escalation attempts from browser context) may be observable via EDR tools. Organizations should review recent intrusion logs for evidence of renderer-process exploits paired with post-exploitation activity.
Why prioritize this
Although not yet in active exploitation, this vulnerability merits priority patching because (1) it enables sandbox escape, negating a core Chrome security control, (2) it is likely to be chained with other Chrome vulnerabilities in targeted attacks, and (3) the fix is straightforward and widely available. The requirement for prior renderer-process compromise reduces the immediate risk for most users, but the severity of the consequence (full code execution outside the sandbox) justifies rapid patching. Prioritize organizations that handle sensitive PDFs or are in high-threat environments.
Risk score, explained
The CVSS 7.5 HIGH rating reflects high impact (confidentiality, integrity, and availability all affected) but constrained attack complexity and the prerequisite of renderer-process compromise. The score appropriately captures that this is a dangerous but not immediately exploitable-in-the-wild vulnerability. For risk prioritization, organizations should weigh this against their browser-based attack surface and the likelihood of renderer-process compromise via other means (e.g., browser bugs, malvertising). Risk is elevated for enterprises that process untrusted documents or operate in high-threat verticals.
Frequently asked questions
What happens if I use a non-Chromium PDF reader (e.g., Adobe Acrobat, PDF-XChange)?
This vulnerability is specific to PDFium in Chrome. If you use standalone PDF readers, they are not affected by this flaw unless they also bundle the vulnerable version of PDFium. However, many users default to Chrome's built-in PDF viewer, so awareness and patching are still important.
Can I be exploited if I simply receive a malicious PDF via email without opening it?
No. The exploit requires that you open the PDF in Chrome (or another affected Chromium-based browser) and that the renderer process has already been compromised. Simply receiving or downloading a PDF is not sufficient for exploitation.
Is there a workaround if I cannot patch immediately?
Partial mitigations include disabling JavaScript in PDF rendering, avoiding PDFs from untrusted sources, and using a non-Chromium PDF reader for sensitive documents. However, these are not fool-proof. The recommended action is to update Chrome as soon as possible; the update process is typically automatic and transparent.
Does this affect Chrome on mobile (Android, iOS)?
Chrome on Android is based on Chromium and would be affected; verify your Android Chrome version and apply updates through the Google Play Store. iOS Chrome uses WebKit, not Blink/Chromium, so the PDFium flaw does not apply to iOS, though you should keep iOS Chrome updated for other security reasons.
This analysis is provided for informational purposes and is based on the CVE record and vendor advisory information current as of the publication date. Verify all patch versions and affected product details against the official Google Chrome security advisories before taking action. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and apply patches according to their security policies and operational windows. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10015HIGHChrome WTF Integer Overflow RCE Vulnerability Analysis
- CVE-2026-10019HIGHChrome ANGLE Integer Overflow Enables Cross-Origin Data Leak
- CVE-2026-10921HIGHChrome Dawn Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10924HIGHChrome Integer Overflow Sandbox Escape Vulnerability
- CVE-2026-10963HIGHChrome V8 Integer Overflow RCE – Sandbox Escape Vulnerability
- CVE-2026-10964HIGHGoogle Chrome V8 Integer Overflow Remote Code Execution Vulnerability
- CVE-2026-10965HIGHChrome DevTools Integer Overflow Remote Code Execution