Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)
AnalysisAI
Cryptographic weakness in PDFium allows unauthenticated remote attackers to decrypt and read sensitive information from password-protected PDFs through brute-force attacks when users view malicious or compromised PDF files in Google Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction (opening a PDF) but combines weak cryptographic design (CWE-326) with low attack complexity, making it feasible for attackers to extract confidential content from encrypted documents. EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite Chromium's medium severity classification.
Technical ContextAI
PDFium is the open-source PDF rendering engine embedded in Chromium-based browsers including Google Chrome. The vulnerability stems from insufficient key derivation or weak encryption parameters in PDFium's PDF decryption implementation, classified as CWE-326 (Inadequate Encryption Strength). PDF encryption typically uses RC4 or AES ciphers with password-based key derivation; weak implementation allows attackers to computationally enumerate possible decryption keys faster than intended. The flaw affects the cryptographic layer that processes encrypted PDF documents before rendering, meaning any PDF with owner or user password protection becomes vulnerable to offline brute-force attacks once retrieved by an attacker.
RemediationAI
Upgrade Google Chrome to version 147.0.7727.55 or later immediately to receive the patched PDFium implementation. Users on Windows, macOS, and Linux can enable automatic updates or manually check Settings > About > Google Chrome for update installation. For organizations requiring manual deployment, the stable channel release is documented at https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html. No workarounds exist for the cryptographic flaw itself; users should avoid opening PDFs from untrusted sources and consider disabling PDF preview in email clients until patched. Chromium-based browsers should check their respective update channels for patched versions incorporating the upstream fix (reference https://issues.chromium.org/issues/486906037 for technical details).
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-326 – Inadequate Encryption Strength
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20705
GHSA-mp5w-52hw-836r