Description
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Published: 2026-06-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in PDFium can be triggered with a crafted PDF file, allowing a remote attacker to execute arbitrary code inside Chrome’s sandbox. The vulnerability is a classic use‑after‑free (CWE‑416) that may be exploited by a remote attacker.

Affected Systems

Google Chrome users on any desktop platform running a version earlier than 149.0.7827.53 are affected.

Risk and Exploitability

The CVE lists Chromium severity as Low, and no EPSS score is available; the vulnerability is not currently in CISA’s KEV catalog. Exploitation requires a user to open a malicious PDF in Chrome. The likely attack vector is inferred to be a user opening a malicious PDF via social engineering or a drive‑by download. While the flaw is theoretically exploitable, its impact is confined to the sandboxed process and the lack of a widely known exploit reduces immediate risk, yet patching remains strongly recommended.

Generated by OpenCVE AI on June 5, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to version 149.0.7827.53 or later
  • Enable Chrome auto‑update to receive the fix automatically
  • Avoid opening PDF files from untrusted or unknown sources until the browser is updated

Generated by OpenCVE AI on June 5, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via PDFium Use‑After‑Free

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-05T01:01:40.601Z

Reserved: 2026-06-04T17:11:20.862Z

Link: CVE-2026-11303

cve-icon Vulnrichment

Updated: 2026-06-05T01:00:58.271Z

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:08.220

Modified: 2026-06-05T02:17:10.090

Link: CVE-2026-11303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:00:15Z

Weaknesses