CVE-2026-11307: Use after free in PDFium in Google Chrome prior to 149
Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.53
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free vulnerability in PDFium, the PDF rendering library bundled with Google Chrome, allows a remote attacker to execute arbitrary code inside the browser sandbox. The vulnerability is reachable over the network with no authentication required, but the victim must open a crafted PDF file. Successful exploitation gives the attacker code execution within the Chrome sandbox, which can be a stepping stone to further privilege escalation. A patched-image rebuild at version 149.0.7827.53 is available on HarborGuard for environments running an affected version of Chrome.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-11307 is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Chrome or Chromium as a dependency.
AvailableHarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and surfaces it weighted against each environment's compliance policy, routing findings to the appropriate team inbox within the customer org.
AvailableA patched-image rebuild pinned to Chrome 149.0.7827.53 is available on HarborGuard for any environment found running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the exploit over the network, for example by hosting or distributing a crafted PDF that the victim's browser fetches.
- AuthenticationNot required
No account or credential is needed; the attack works against any unauthenticated browser session.
- Victim interactionRequired
The victim must open a crafted PDF file, requiring the attacker to socially engineer the target into doing so.
- Attack complexityDetail
Exploitation is reliable and condition-free once the victim opens the file; no race conditions or special environment configuration are needed.
Blast Radius
- The attacker executes arbitrary code within the Chrome renderer sandbox, giving them full control of that sandboxed process.
- Confidential data accessible to the renderer, such as page content, session cookies, and credentials visible in the current browser context, is exposed.
- The attacker can modify data within the sandboxed environment, including in-memory state of the active page or PDF content.
- Sandbox escape primitives combined with this foothold can be used as a launchpad for further privilege escalation on the host system.
How HarborGuard Handles This
Available on HarborGuard: images containing Chrome or Chromium below version 149.0.7827.53 are flagged immediately upon scan, and a rebuilt image pinned to the fixed version is made available as soon as the CVE is processed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs regression tests, and opens a PR against any workload referencing the vulnerable image; for high-severity CVEs like this one, the median time from publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers managing this through manual review can find the finding in their HarborGuard dashboard with full CVSS detail and affected image inventory, ready for triage.
Fix available
- Google / Chrome< 149.0.7827.53 (from 149.0.7827.53)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H