HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11304Published Modified CNA Chrome

CVE-2026-11304: Use after free in PDFium in Google Chrome prior to 149

Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
149.0.7827.53
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free in PDFium, the PDF rendering library embedded in Google Chrome prior to version 149.0.7827.53, allows a remote attacker to exploit heap corruption by delivering a crafted PDF file to a target user. The vulnerability is reachable over the network but requires the victim to open a malicious PDF, with no authentication barrier on the attacker's side. Successful exploitation gives the attacker full read, write, and execution capability within the renderer process, enabling data theft, content tampering, and potential remote code execution. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11304 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, covering both base images and custom-built images that bundle Chrome or Chromium. Any container image carrying a Chrome version below 149.0.7827.53 is flagged automatically in registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org's queue. Triage findings are routed to the team inbox or ticketing integration configured for that environment, so the right owners see it without manual sorting.

Available
Patch

A patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard once the fix version is confirmed in the upstream feed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted PDF over the network, so the target service or user must be reachable from an internet or network-adjacent position.

  • AuthenticationNot required

    No account or credential is needed on the attacker's side; the attack is launched purely through a malicious file delivered to the victim.

  • Victim interactionRequired

    The victim must open or render the crafted PDF file, making this a social-engineering vector where the attacker must convince a user to interact with the malicious document.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

  • A successful attacker reads memory contents from the Chrome renderer process heap, which can include session tokens, cached credentials, and document contents.
  • The attacker writes arbitrary data into freed heap memory, enabling modification of in-process state and potentially injecting shellcode or manipulating rendered output.
  • Full confidentiality, integrity, and availability impact is confirmed by the CVSS tokens, meaning the attacker can crash the renderer, exfiltrate data, or pivot to further exploitation within the process sandbox.
  • If a sandbox escape is chained separately, the heap corruption primitive established here provides the initial foothold for broader host compromise.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11304 is active across all scanning pipelines and matches any image shipping Chrome below 149.0.7827.53, including custom-built images that bundle Chromium as a dependency. A patched-image rebuild at 149.0.7827.53 is available for affected environments as soon as the fix version clears upstream ingestion. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests against the patched image, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the rebuilt image and a detailed findings report are staged for manual review and approval.

See how HarborGuard automates this

Fix available

149.0.7827.53
Affected packages
  • Google / Chrome
    < 149.0.7827.53 (from 149.0.7827.53)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References