CVE-2026-11305: Use after free in PDFium in Google Chrome prior to 149
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in PDFium, the PDF rendering library bundled with Google Chrome, allows a remote attacker to execute arbitrary code inside Chrome's sandbox by delivering a crafted PDF file. The vulnerability is reachable over the network and requires no authentication, but does require the victim to open a malicious PDF. Successful exploitation gives the attacker code execution within the Chrome sandbox, which may serve as a stepping stone to further compromise. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected Chrome version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium.
AvailableHarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing, directing the alert to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at Chrome 149.0.7827.53 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the malicious PDF over the network, so the affected Chrome instance must be reachable or browsing to attacker-controlled content.
- AuthenticationNot required
No credentials or account access are needed; any unauthenticated remote attacker can attempt exploitation.
- Victim interactionRequired
The victim must open or be redirected to a crafted PDF file, making a social-engineering or drive-by delivery step necessary.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout requirements.
Blast Radius
- Attacker executes arbitrary code within the Chrome renderer sandbox, gaining full control of the sandboxed process.
- Confidential data rendered or cached by the browser process, including session tokens and page content, becomes readable to the attacker.
- Attacker can modify in-memory state of the sandboxed process, potentially tampering with rendered content or facilitating a sandbox-escape chain.
- The compromised renderer process can be crashed or made unavailable, disrupting the user's browsing session.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome or Chromium builds older than 149.0.7827.53 are flagged automatically as CVE-2026-11305 matches arrive from upstream feeds. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS score, affected image list, and fix-version detail attached. Customers who cannot immediately update are encouraged to apply network-policy controls that restrict Chrome-based workloads from fetching arbitrary external PDF content, reducing the social-engineering surface until the patched image is promoted.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H