CVE-2026-11670: Use after free in PDF in Google Chrome prior to 149
Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 149.0.7827.103
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Use-after-free in the PDF component of Google Chrome (versions prior to 149.0.7827.103) allows a remote attacker to execute arbitrary code inside the Chrome sandbox by convincing a user to open a crafted PDF file. The vulnerability is reachable over the network and requires no authentication, but does require the victim to interact with a malicious file. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or ship Google Chrome. Any image containing a Chrome version below 149.0.7827.103 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (HIGH) and surfaces it accordingly within each customer environment, weighted against that environment's compliance policy. Triage routing delivers the finding to the inbox or ticketing integration configured for the affected workload owner.
AvailableA patched-image rebuild at Chrome 149.0.7827.103 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted PDF over the network, so the targeted Chrome instance must be reachable or the user must be able to fetch attacker-controlled content from the network.
- AuthenticationNot required
No account or credential is needed; the attacker delivers the payload without authenticating to any service.
- Victim interactionRequired
The victim must open or render a crafted PDF file, requiring the attacker to use a social-engineering vector such as a malicious link, email attachment, or embedded file.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.
Blast Radius
- Arbitrary code executes inside the Chrome renderer sandbox, giving the attacker control over the renderer process.
- Confidential data accessible to the renderer, including page content, cached credentials, and session tokens, is readable by the attacker.
- The attacker can modify data handled within the sandboxed process, including intercepting or tampering with rendered content.
- The renderer process crashes or becomes unresponsive, disrupting the user session for the affected tab or window.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active against all scanned images the moment the advisory is ingested, with no manual configuration required. For environments running Chrome below 149.0.7827.103, a rebuilt image at the fixed version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually can retrieve the flagged image list and the target rebuild version directly from the HarborGuard findings dashboard.
Fix available
- Google / Chrome< 149.0.7827.103 (from 149.0.7827.103)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H