Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
AnalysisAI
Sandboxed arbitrary code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the browser's PDF component, exploitable when a remote attacker convinces a user to perform specific UI gestures after loading a crafted PDF. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as none.
Technical ContextAI
The vulnerability resides in Chrome's PDF rendering subsystem (PDFium), which parses and displays PDF documents inside the browser. CWE-416 (Use-After-Free) means the code references a memory region after it has been freed, allowing an attacker who controls the freed allocation's contents to corrupt object state and ultimately hijack control flow. Per the CPE/version data, the issue impacts Chrome desktop builds before 149.0.7827.53 across the platforms Chromium supports. Code execution is constrained to Chrome's renderer/PDF sandbox per the description, meaning a separate sandbox-escape would be required to reach the host OS.
RemediationAI
Vendor-released patch: Google Chrome 149.0.7827.53 - update Chrome via the Stable channel using the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and verify the new build via chrome://settings/help. Users of Chromium derivatives should apply the corresponding vendor update once it ships. As an interim compensating control, disable the built-in PDF viewer by setting the enterprise policy AlwaysOpenPdfExternally=true or PluginsAllowedForUrls/PDF restrictions, which forces PDFs to download rather than render in-browser and removes the attack surface; the trade-off is degraded UX and reliance on the user's external PDF handler, which may itself be vulnerable. Blocking inline PDF delivery at the web proxy (e.g., stripping application/pdf from untrusted origins) is another option but breaks legitimate PDF workflows.
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34394
GHSA-vjm9-g2m8-4pr3