Skip to main content

Google Chrome CVE-2026-10945

| EUVDEUVD-2026-34394 HIGH
Use After Free (CWE-416)
2026-06-04 chrome-cve-admin@google.com GHSA-vjm9-g2m8-4pr3
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 02:46 vuln.today
CVSS changed
Jun 05, 2026 - 02:22 NVD
8.8 (HIGH)
CVE Published
Jun 04, 2026 - 23:16 nvd
HIGH 8.8
CVE Published
Jun 04, 2026 - 23:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

AnalysisAI

Sandboxed arbitrary code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the browser's PDF component, exploitable when a remote attacker convinces a user to perform specific UI gestures after loading a crafted PDF. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as none.

Technical ContextAI

The vulnerability resides in Chrome's PDF rendering subsystem (PDFium), which parses and displays PDF documents inside the browser. CWE-416 (Use-After-Free) means the code references a memory region after it has been freed, allowing an attacker who controls the freed allocation's contents to corrupt object state and ultimately hijack control flow. Per the CPE/version data, the issue impacts Chrome desktop builds before 149.0.7827.53 across the platforms Chromium supports. Code execution is constrained to Chrome's renderer/PDF sandbox per the description, meaning a separate sandbox-escape would be required to reach the host OS.

RemediationAI

Vendor-released patch: Google Chrome 149.0.7827.53 - update Chrome via the Stable channel using the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html and verify the new build via chrome://settings/help. Users of Chromium derivatives should apply the corresponding vendor update once it ships. As an interim compensating control, disable the built-in PDF viewer by setting the enterprise policy AlwaysOpenPdfExternally=true or PluginsAllowedForUrls/PDF restrictions, which forces PDFs to download rather than render in-browser and removes the attack surface; the trade-off is degraded UX and reliance on the user's external PDF handler, which may itself be vulnerable. Blocking inline PDF delivery at the web proxy (e.g., stripping application/pdf from untrusted origins) is another option but breaks legitimate PDF workflows.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-10945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy