CVE-2026-9957: Use after free in PDF in Google Chrome prior to 148
Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
HarborGuard Analysis
HarborGuard analysisSynopsis
A use-after-free vulnerability in the PDF component of Google Chrome allows a remote attacker to execute arbitrary code inside the browser sandbox. The flaw is reachable over the network with no authentication required, but the victim must open a specially crafted PDF file. Successful exploitation gives the attacker code execution within the Chrome sandbox, which combined with a sandbox escape could lead to full system compromise. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-9957 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium installation.
AvailableTriage is available with the CVSS 3.1 score of 8.8 (High) surfaced per affected image, weighted against each customer environment's compliance policy, and routed to the appropriate team inbox within each customer org.
AvailableA patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, the pipeline triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the crafted PDF over the network, so the targeted Chrome instance must be reachable or the user must browse to attacker-controlled content.
- AuthenticationNot required
No account or credentials are needed; the attacker only needs to get the victim to open a malicious PDF.
- Victim interactionRequired
The victim must actively open or preview a crafted PDF file, making this a social-engineering or drive-by delivery scenario.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory-layout guesses, or other variable environmental factors.
Blast Radius
- Attacker executes arbitrary code inside the Chrome renderer sandbox, gaining control of the sandboxed process.
- Confidential data visible to the renderer, such as page contents, cached credentials, and DOM storage, becomes readable to the attacker.
- The attacker can modify in-memory page state and inject content into the rendered document.
- If chained with a sandbox escape, the attacker gains code execution at the OS user level on the victim host.
How HarborGuard Handles This
Available on HarborGuard: images containing Google Chrome versions below 148.0.7778.216 are flagged automatically when CVE-2026-9957 is ingested from upstream feeds. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the patched version (148.0.7778.216), runs a regression test run against the rebuilt image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and scan diff are staged and waiting for review. All customers receive the CVSS 8.8 High severity score alongside per-environment policy weighting to help prioritize this fix against other open findings.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 148.0.7778.216
- Affected Products
- 1
Fix available
- Google / Chrome< 148.0.7778.216 (from 148.0.7778.216)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H