How is CVE-2026-9958 exploited?

Network reachability (required): The attacker delivers the malicious PDF over the network, so the targeted host must be able to reach or receive content from an attacker-controlled source. Authentication (not-required): No account or credential is needed; the attacker only needs to get the crafted PDF in front of the victim. Victim interaction (required): The victim must open or preview a crafted PDF file, making this a social-engineering vector where the attacker must induce the user to act. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond victim interaction.

What is the impact of CVE-2026-9958?

Reads arbitrary memory within the Chrome renderer process, including cached credentials, session tokens, and rendered page content. Writes to freed heap memory, allowing an attacker to corrupt renderer state or inject controlled data into process memory. Crashes the Chrome renderer process, causing a denial of service for the affected browser tab or the entire browser depending on sandbox configuration. Depending on sandbox integrity, heap corruption may be chained toward a sandbox escape, broadening attacker reach beyond the renderer.

Back to search

HIGHCVE-2026-9958Published 2026-05-28Modified 2026-05-30CNA Chrome

CVE-2026-9958: Use after free in PDFium in Google Chrome prior to 148

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in PDFium, the PDF rendering library bundled with Google Chrome prior to version 148.0.7778.216. The flaw is reachable over the network and requires no authentication, but does require the victim to open a crafted PDF file, which triggers heap corruption in the renderer process. Successful exploitation gives the attacker full read, write, and crash capability inside the affected process, enabling data theft, content tampering, or a renderer crash. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Google Chrome or Chromium. Any image containing a Chrome version below 148.0.7778.216 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights that score against each customer environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 148.0.7778.216 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, the rebuild is followed by a regression-test run and a PR opened against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious PDF over the network, so the targeted host must be able to reach or receive content from an attacker-controlled source.
AuthenticationNot required
No account or credential is needed; the attacker only needs to get the crafted PDF in front of the victim.
Victim interactionRequired
The victim must open or preview a crafted PDF file, making this a social-engineering vector where the attacker must induce the user to act.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond victim interaction.

Blast Radius

Reads arbitrary memory within the Chrome renderer process, including cached credentials, session tokens, and rendered page content.
Writes to freed heap memory, allowing an attacker to corrupt renderer state or inject controlled data into process memory.
Crashes the Chrome renderer process, causing a denial of service for the affected browser tab or the entire browser depending on sandbox configuration.
Depending on sandbox integrity, heap corruption may be chained toward a sandbox escape, broadening attacker reach beyond the renderer.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome below 148.0.7778.216 are flagged as soon as the CVE is matched against a customer's registry or pipeline scan. For customers with auto-remediation enabled, HarborGuard rebuilds the affected image at the fixed version (148.0.7778.216), runs a regression test suite against the new image, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized finding are staged for human review. Customers who cannot immediately redeploy should consider restricting PDF rendering capabilities or applying network-policy controls that limit the ability of browser workloads to fetch attacker-controlled content.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 148.0.7778.216
Affected Products: 1

Fix available

148.0.7778.216

Affected packages

Google / Chrome
< 148.0.7778.216 (from 148.0.7778.216)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available