Impact
The vulnerability is a use‑after‑free flaw in the PDFium component of Google Chrome, which can arbitrary code within the browser’s sandbox when a specially crafted PDF file is opened. The flaw requires the user to interact with the malicious PDF but does not compromise the system directly outside of the sandboxed environment.
Affected Systems
The flaw affects all platforms running Google Chrome versions earlier than 150 Microsoft Windows, macOS, Linux, and Chrome OS are all potentially vulnerable if they receive unpatched Chrome installations that include the affected PDFium library.
Risk and Exploitability
There is no EPSS score available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not actively exploited yet. However, the CVE is rated as ‘Low’ severity by Chromium but would provide remote code execution inside the sandbox. The likely attack vector involves a malicious PDF file delivered via email, a website link, or a local file as long as the victim opens it in the vulnerable browser. Once exploited, the attacker gains code execution limited by the sandbox but could pivot to further attacks if privilege escalation is achievable later.
OpenCVE Enrichment