A use‑after‑free flaw exists in Google Chrome’s PDF rendering engine for versions before 149.0.7827.103. When a maliciously crafted PDF file is processed, the memory management bug can be triggered to execute arbitrary code within the sandboxed renderer process. The primary outcome is that an attacker can run code at the renderer level, potentially bypassing the sandbox if additional exploitation steps succeed. The weakness is classified as CWE‑416 and exhibits characteristics of CWE‑825.

The vulnerability affects the Google Chrome web browser running on any operating system where the PDF viewer component is enabled, specifically for all Chrome releases prior to 149.0.7827.103. Versions equal to or newer than 149.0.7827.103 contain the patch that eliminates the use‑after‑free condition.

The CVE is rated as High severity (CVSS 8.8) by Chromium’s internal severity model. Because the EPSS data is < 1%, the exact exploitation probability cannot be quantified, but the lack of listing in the CISA KEV catalog implies no publicly identified exploits at this time. The attack vector is remote, requiring only that an attacker provides a malicious PDF to the victim, either via a downloaded file or a link. If the victim opens the file, the exploit can trigger immediately, making the risk significant for users who routinely view PDFs from untrusted sources.