Description
Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)
Published: 2026-03-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

PDFium, the PDF rendering engine in Google Chrome, contains a heap buffer overflow that can be triggered by a specially crafted PDF file. The vulnerability can lead to arbitrary code execution on the victim's machine when the PDF is opened, exposing the host to compromise. The weakness is identified by CWE-122 and CWE-787 and is classified as a high severity flaw with a CVSS score of 8.8.

Affected Systems

All users of Google Chrome on Windows, macOS, and Linux who are running a build earlier than Chrome version 146.0.7680.153 are affected. The vulnerability exists in the PDFium component of Chrome; upgrading to any supported release equal to or higher than 146.0.7680.153 eliminates the flaw.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high risk to confidentiality, integrity, and availability, and the EPSS score of less than 1% suggests a low likelihood of current exploitation in the wild. The flaw is remotely exploitable without requiring local privileges, via the file system by delivering a malicious PDF that a user opens. The vulnerability is not listed in the CISA KEV catalog, but organizations should still treat it as a high‑risk issue because it can enable code execution.

Generated by OpenCVE AI on March 20, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 146.0.7680.153 or later.
  • Verify that the update has been applied and that the included PDFium library is the fixed version.
  • If an immediate update is not possible, disable PDF viewing in Chrome or limit PDF handling to a sandboxed environment.

Generated by OpenCVE AI on March 20, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6171-1 chromium security update
History

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in PDFium Allowing Remote Exploitation via Crafted PDF chromium-browser: Heap buffer overflow in PDFium
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 20 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in PDFium Allowing Remote Exploitation via Crafted PDF

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Fri, 20 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)
Weaknesses CWE-122
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-21T04:01:12.858Z

Reserved: 2026-03-19T20:23:52.037Z

Link: CVE-2026-4455

cve-icon Vulnrichment

Updated: 2026-03-20T14:23:50.459Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T02:16:38.637

Modified: 2026-03-20T17:59:44.053

Link: CVE-2026-4455

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:50Z

Weaknesses