Description
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use after free in the PDFium rendering engine of Google Chrome that permits a heap corruption through a maliciously crafted PDF file. Such corruption could be leveraged by a remote attacker to execute arbitrary code from the victim's system, aligning with the CWE‑416 weakness for improper release of object.

Affected Systems

Google Chrome versions prior to 149.0.7827.53, specifically the PDFium component included in those Chrome builds.

Risk and Exploitability

Based on the description, the likely attack vector is delivery of a malicious PDF file to the victim via browsing or email. The CVSS score is not provided, and EPSS data is unavailable, but the identified low severity in Chromium’s labeling indicates limited field impact. Nonetheless, the nature of the weakness suggests potential for remote code execution if an attacker can deliver a crafted PDF to the target. No exploitation techniques are published, and the vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread exploitation at present.

Generated by OpenCVE AI on June 5, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.53 or later, which contains the PDFium fix.
  • Disable the built‑in PDF viewer within Chrome settings or by setting the PDF viewer extension to block PDFs from unknown origins.
  • If an upgrade is delayed, avoid opening PDF files from untrusted sources until a patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 05 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use After Free in PDFium Leading to Heap Corruption in Google Chrome

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)
Weaknesses CWE-416
References

Subscriptions

Google Chrome
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-04T23:06:26.270Z

Reserved: 2026-06-04T17:11:21.190Z

Link: CVE-2026-11304

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T00:17:08.350

Modified: 2026-06-05T00:17:08.350

Link: CVE-2026-11304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:15:15Z

Weaknesses