CVE-2026-11303: Use after free in PDFium in Google Chrome prior to 149
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in PDFium, the PDF rendering library bundled with Google Chrome prior to version 149.0.7827.53. The vulnerability is reachable over the network and requires no authentication, but does require the victim to open a crafted PDF file. Successful exploitation gives a remote attacker arbitrary code execution inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection of CVE-2026-11303 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle a vulnerable version of Chrome.
AvailableTriage is available using the CVSS 3.1 score of 8.8 (HIGH), weighted against each customer organization's per-environment compliance policy, and routed to the appropriate team inbox within that org.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 is available on HarborGuard for any environment found to ship an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network by serving or transmitting a crafted PDF file to the victim's browser.
- AuthenticationNot required
No account or credential is needed; any unauthenticated remote party can attempt the attack.
- Victim interactionRequired
The victim must open a crafted PDF file, meaning the attacker depends on a social-engineering or drive-by delivery step to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- A successful attacker executes arbitrary code in the context of the Chrome renderer process inside the sandbox.
- Confidential data visible to the renderer, such as page contents, stored credentials, or session tokens, can be read.
- The attacker can tamper with rendered content or initiate further exploitation steps targeting a sandbox escape.
- The affected Chrome renderer process crashes or becomes unstable, disrupting the user's browsing session.
How HarborGuard Handles This
Available on HarborGuard: detection of CVE-2026-11303 is active for any image that ships Google Chrome below 149.0.7827.53, with results surfaced in the vulnerability dashboard within minutes of image scan. A rebuild at the fixed version is available for affected images. For customers who opt into auto-remediation, HarborGuard triggers a patched rebuild, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automatic changes, the finding is queued for manual review with remediation guidance pointing to the 149.0.7827.53 upgrade path.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H