CVE-2026-11306: Use after free in PDFium in Google Chrome prior to 149
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in PDFium, the PDF rendering library bundled with Google Chrome prior to version 149.0.7827.53, allows a remote attacker to execute arbitrary code inside the browser sandbox by getting a user to open a crafted PDF file. The vulnerability is reachable over the network and requires no authentication, but does require the victim to interact with a malicious file. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle a Chrome or Chromium installation.
AvailableHarborGuard scores this finding at 8.8 HIGH using the CVSS v3.1 vector and weights it further against each environment's compliance policy, then routes the alert to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard runs the rebuild, executes a regression test suite against it, and opens a PR against the affected workload repositories.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network, typically by hosting a malicious PDF on a site the victim visits or by sending it as a download.
- AuthenticationNot required
No account or credential of any kind is needed; the attacker is anonymous.
- Victim interactionRequired
The victim must open or render a crafted PDF file, making social engineering (phishing link, email attachment, or drive-by download) a prerequisite.
- Attack complexityDetail
Exploit conditions are reliable and free of race conditions or environmental dependencies, making successful exploitation straightforward once the victim opens the file.
Blast Radius
- The attacker executes arbitrary code in the context of the Chrome renderer process, gaining full control over the code running inside that sandboxed process.
- Confidential data visible to the renderer, such as page content, session state, and in-memory credentials, is readable by the attacker.
- The attacker can modify data processed by the renderer, including form submissions and rendered document content.
- The renderer process can be crashed or made unresponsive, disrupting the user's browsing session for any tab handled by that process.
How HarborGuard Handles This
Available on HarborGuard: any image containing Google Chrome below 149.0.7827.53 is flagged at ingestion time and assigned an 8.8 HIGH finding. Where compliance policy permits, a rebuilt image pinned to the fixed version (149.0.7827.53) is prepared automatically. For customers who opt into auto-remediation, HarborGuard runs a regression test against the rebuilt image and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For teams that manage patching manually, the finding appears in the priority queue with the fix version pre-populated so no additional research is needed.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H