CVE-2026-14108

Google · Chrome

A use-after-free vulnerability in the PDFium library within Google Chrome may allow an attacker to execute arbitrary code.

Executive summary

A critical use-after-free flaw in Google Chrome’s PDFium engine exposes users to potential remote code execution through malicious document processing.

Vulnerability

This vulnerability resides in the PDFium library, which handles PDF rendering within the browser. An unauthenticated attacker can exploit this via a maliciously crafted PDF file, resulting in memory corruption and possible arbitrary code execution.

Business impact

With a CVSS score of 8.8, this vulnerability represents a significant threat to organizational security. Successful exploitation could grant an attacker the ability to execute code in the context of the user, leading to unauthorized access to sensitive information or the installation of persistent malware.

Remediation

Immediate Action: Upgrade Google Chrome to version 150 or later to patch the vulnerable PDFium library components.

Proactive Monitoring: Review security telemetry for suspicious file-access patterns or browser-based document rendering errors that could signal an attempt to trigger the vulnerability.

Compensating Controls: Utilize browser-based security policies to disable or restrict the auto-opening of PDF files from untrusted sources until patches can be applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The reliance on PDFium for document rendering makes this a high-priority update. Security teams should ensure that all browser instances are updated to the latest available version to protect against this memory-related exploit vector.