How is CVE-2026-10002 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim browses to or opens a remote-attacker-controlled PDF. Authentication (not-required): No account or credential of any kind is required; the attacker only needs to get the victim to open a crafted PDF file. Victim interaction (required): The victim must actively open or render a crafted PDF file, making this a social-engineering vector where the attacker must convince the user to take that action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental preconditions beyond victim interaction.

What is the impact of CVE-2026-10002?

A successful attacker reads process memory, which may include session tokens, cached credentials, and rendered document contents. The attacker can write to or corrupt heap memory within the Chrome renderer process, modifying in-memory application state. The attacker can crash the Chrome renderer process, disrupting the user's browsing session and any active PDF workflows. Heap corruption at this severity level carries a realistic risk of full remote code execution within the Chrome renderer process sandbox.

Back to search

HIGHCVE-2026-10002Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-10002: Use after free in PDFium in Google Chrome prior to 148

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in PDFium, the PDF rendering library embedded in Google Chrome versions prior to 148.0.7778.216. The flaw is reachable over the network and requires no authentication, but does require the victim to open a specially crafted PDF file. Successful exploitation corrupts heap memory and gives the attacker the ability to read sensitive data, tamper with application state, and crash or take control of the affected process. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-10002 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Google Chrome or Chromium. No manual scan trigger is required.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to reflect actual exposure. Triage findings are routed to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the target Chrome instance must be reachable in the sense that the victim browses to or opens a remote-attacker-controlled PDF.
AuthenticationNot required
No account or credential of any kind is required; the attacker only needs to get the victim to open a crafted PDF file.
Victim interactionRequired
The victim must actively open or render a crafted PDF file, making this a social-engineering vector where the attacker must convince the user to take that action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental preconditions beyond victim interaction.

Blast Radius

A successful attacker reads process memory, which may include session tokens, cached credentials, and rendered document contents.
The attacker can write to or corrupt heap memory within the Chrome renderer process, modifying in-memory application state.
The attacker can crash the Chrome renderer process, disrupting the user's browsing session and any active PDF workflows.
Heap corruption at this severity level carries a realistic risk of full remote code execution within the Chrome renderer process sandbox.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10002 is matched against customer images automatically within minutes of advisory publication, covering any image that packages Google Chrome or Chromium. Where an affected version is detected, a rebuilt image at 148.0.7778.216 becomes available immediately. For customers who opt into auto-remediation, HarborGuard triggers a full rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding appears in the triage queue with CVSS scoring and fix-version detail so the responsible team can act manually. In the interim, network policy rules that restrict which hosts can serve PDF content to Chrome-based workloads provide a meaningful compensating control by reducing the social-engineering surface.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available