Description
Insufficient policy enforcement in PDF in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file. (Chromium security severity: Low)
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote navigation bypass via crafted PDF
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an insufficient enforcement of navigation policy in Chrome’s PDF viewer. A malicious PDF can be crafted so that when a user opens it, the browser navigates to an arbitrary URL, bypassing the usual restrictions that prevent navigation to potentially unsafe destinations. This bypass could allow a remote attacker to direct a user’s browser to malicious sites, phishing pages, or other content that could ultimately lead to further compromise.

Affected Systems

Affected systems include all operating systems that run the affected Chrome version 146.0.7680.71 or earlier. This includes Chrome on Windows, macOS, and Linux desktops. The flaw exists only in the client‑side PDF rendering code bundled with the desktop browser and is not a server‑side issue.

Risk and Exploitability

The CVSS base score is 6.5, indicating a moderate risk. The EPSS score is below 1%, which signifies a low measured exploit probability. It is not listed in the CISA KEV catalog. The flaw can be exploited by a remote attacker who sends a malicious PDF to a target user, who must then open it. The most likely attack vector involves social engineering or attachment delivery, with no need for the attacker to compromise the network or the browser remotely.

Generated by OpenCVE AI on April 16, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chrome to the latest revision that includes the fix, at least version 146.0.7680.71.
  • If an immediate update is not possible, configure Chrome policy to disable navigation from PDFs by setting the appropriate policy to false.
  • Disable the built‑in PDF viewer or configure it to open PDFs in an external application to reduce the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Mon, 16 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in PDF
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in PDF in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted PDF file. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T03:19:04.766Z

Reserved: 2026-03-11T05:54:15.153Z

Link: CVE-2026-3939

cve-icon Vulnrichment

Updated: 2026-03-14T03:18:49.582Z

cve-icon NVD

Status : Modified

Published: 2026-03-11T22:16:36.573

Modified: 2026-03-16T14:19:54.700

Link: CVE-2026-3939

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3939 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses