Description
Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Published: 2026-06-30
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the PDFium component of Google Chrome, which can arbitrary code within the browser’s sandbox when a specially crafted PDF file is opened. The flaw requires the user to interact with the malicious PDF but does not compromise the system directly outside of the sandboxed environment.

Affected Systems

The flaw affects all platforms running Google Chrome versions earlier than 150 Microsoft Windows, macOS, Linux, and Chrome OS are all potentially vulnerable if they receive unpatched Chrome installations that include the affected PDFium library.

Risk and Exploitability

There is no EPSS score available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not actively exploited yet. However, the CVE is rated as ‘Low’ severity by Chromium but would provide remote code execution inside the sandbox. The likely attack vector involves a malicious PDF file delivered via email, a website link, or a local file as long as the victim opens it in the vulnerable browser. Once exploited, the attacker gains code execution limited by the sandbox but could pivot to further attacks if privilege escalation is achievable later.

Generated by OpenCVE AI on July 1, 2026 at 03:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 150.0.7871.47 or later.
  • If an update is not immediately possible, prevent the browser from parsing PDF files by disabling the PDFium handler via enterprise policy or browser settings.
  • Ensure the operating system’s sandbox and integrity monitoring features are enabled to contain any accidental privilege escalation attempts.

Generated by OpenCVE AI on July 1, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Use After Free in PDFium Enables Remote Code Execution in Google Chrome

Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-30T22:39:29.962Z

Reserved: 2026-06-29T23:11:43.809Z

Link: CVE-2026-14108

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:45:03Z

Weaknesses