CVE-2026-14108
Google · Chrome
A use-after-free vulnerability in the PDFium library within Google Chrome may allow an attacker to execute arbitrary code.
Executive summary
A critical use-after-free flaw in Google Chrome’s PDFium engine exposes users to potential remote code execution through malicious document processing.
Vulnerability
This vulnerability resides in the PDFium library, which handles PDF rendering within the browser. An unauthenticated attacker can exploit this via a maliciously crafted PDF file, resulting in memory corruption and possible arbitrary code execution.
Business impact
With a CVSS score of 8.8, this vulnerability represents a significant threat to organizational security. Successful exploitation could grant an attacker the ability to execute code in the context of the user, leading to unauthorized access to sensitive information or the installation of persistent malware.
Remediation
Immediate Action: Upgrade Google Chrome to version 150 or later to patch the vulnerable PDFium library components.
Proactive Monitoring: Review security telemetry for suspicious file-access patterns or browser-based document rendering errors that could signal an attempt to trigger the vulnerability.
Compensating Controls: Utilize browser-based security policies to disable or restrict the auto-opening of PDF files from untrusted sources until patches can be applied.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The reliance on PDFium for document rendering makes this a high-priority update. Security teams should ensure that all browser instances are updated to the latest available version to protect against this memory-related exploit vector.