Description
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Published: 2026-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in PDFium can be triggered with a crafted PDF file, allowing a remote attacker to execute arbitrary code inside Chrome’s sandbox. The vulnerability is a classic use‑after‑free (CWE‑416) and also includes a file‑access control issue (CWE‑825) within the sandbox that could allow further compromise.

Affected Systems

Google Chrome users on any desktop platform running a version earlier than 149.0.7827.53 are affected.

Risk and Exploitability

Chromium severity is listed as Low, but its CVSS score of 8.8 indicates a high potential for remote code execution. The EPSS score of < 1% suggests a very low probability that this vulnerability is actively exploited. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user to open a malicious PDF in Chrome. The likely attack vector is inferred to be a user opening a malicious PDF via social engineering or a drive‑by download. While the flaw is theoretically exploitable, its impact is confined to the sandboxed process and the lack of a widely known exploit reduces immediate risk, yet patching remains strongly recommended.

Generated by OpenCVE AI on June 7, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later
  • Enable Chrome auto‑update to receive the fix automatically
  • Avoid opening PDF files from untrusted or unknown sources until the browser is updated
  • Verify that Chrome’s sandbox enforces strict file‑access permissions to mitigate the CWE‑825 file‑access control weakness

Generated by OpenCVE AI on June 7, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6325-1 chromium security update
History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sun, 07 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in PDFium
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via PDFium Use‑After‑Free

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via PDFium Use‑After‑Free

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-06T03:56:02.579Z

Reserved: 2026-06-04T17:11:20.862Z

Link: CVE-2026-11303

cve-icon Vulnrichment

Updated: 2026-06-05T01:00:58.271Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T00:17:08.220

Modified: 2026-06-08T18:01:43.640

Link: CVE-2026-11303

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-11303 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T16:30:04Z

Weaknesses