How is CVE-2026-10945 exploited?

Network reachability (required): The attacker delivers the crafted PDF over the network, so the victim's browser must be reachable or the attacker must be able to serve content to it remotely. Authentication (not-required): No account or credential is required from the attacker; the attack is launched by serving a malicious PDF to any visiting user. Victim interaction (required): The victim must open the crafted PDF and perform specific UI gestures within the Chrome PDF viewer, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guessing, or other environmental preconditions.

What is the impact of CVE-2026-10945?

Executes arbitrary attacker-controlled code inside the Chrome renderer sandbox, giving the attacker full control of that process. Reads any data accessible to the sandboxed renderer, including page content, cookies visible to the renderer context, and in-memory document data. Writes or modifies data within the sandboxed process, enabling tampering with rendered content or in-process state. Crashes or destabilizes the affected renderer process, causing loss of availability for the browsing session or any embedded Chrome component.

Back to search

HIGHCVE-2026-10945Published 2026-06-04Modified 2026-06-05CNA Chrome

CVE-2026-10945: Use after free in PDF in Google Chrome prior to 149

Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.53
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability in Google Chrome's PDF renderer affects all Chrome versions prior to 149.0.7827.53. The bug is reachable over the network but requires the victim to perform specific UI gestures with a crafted PDF file; no authentication is needed from the attacker's side. Successful exploitation lets an attacker execute arbitrary code inside the Chrome sandbox, combining full confidentiality, integrity, and availability impact within that sandboxed process. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that bundle a Chrome or Chromium binary. Any image layer containing a Chrome version below 149.0.7827.53 is flagged immediately.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and applies each customer org's compliance policy weighting to prioritize it appropriately, routing findings to the team or inbox configured for that environment.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted PDF over the network, so the victim's browser must be reachable or the attacker must be able to serve content to it remotely.
AuthenticationNot required
No account or credential is required from the attacker; the attack is launched by serving a malicious PDF to any visiting user.
Victim interactionRequired
The victim must open the crafted PDF and perform specific UI gestures within the Chrome PDF viewer, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guessing, or other environmental preconditions.

Blast Radius

Executes arbitrary attacker-controlled code inside the Chrome renderer sandbox, giving the attacker full control of that process.
Reads any data accessible to the sandboxed renderer, including page content, cookies visible to the renderer context, and in-memory document data.
Writes or modifies data within the sandboxed process, enabling tampering with rendered content or in-process state.
Crashes or destabilizes the affected renderer process, causing loss of availability for the browsing session or any embedded Chrome component.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Chrome below 149.0.7827.53, covering both upstream base images and custom images that bundle Chromium. A rebuilt image at the fixed version (149.0.7827.53) is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or organizational controls require manual approval, the rebuilt image and test results are staged and the finding is routed to the designated team for review.

See how HarborGuard automates this

Fix available

149.0.7827.53

Affected packages

Google / Chrome
< 149.0.7827.53 (from 149.0.7827.53)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available