PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11670 Google CVE debrief

CVE-2026-11670 is a high-severity vulnerability in Google Chrome prior to version 149.0.7827.103. This use-after-free issue in the PDF component allows remote attackers to execute arbitrary code inside a sandbox via a crafted PDF file. The vulnerability has a CVSS score of 8.8 and is considered High severity by Chromium. It was published on [cvePublishedAt] and last modified on [cveModifiedAt].

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of Google Chrome prior to version 149.0.7827.103 should update to the latest version to mitigate this vulnerability. This issue is particularly concerning for users who frequently open PDF files from untrusted sources.

Technical summary

The vulnerability is a use-after-free issue in the PDF component of Google Chrome. This type of vulnerability occurs when the program attempts to use memory after it has been freed, allowing an attacker to potentially execute arbitrary code. In this case, an attacker could craft a malicious PDF file that, when opened in a vulnerable version of Chrome, could allow the attacker to execute code inside the browser's sandbox.

Defensive priority

High

Recommended defensive actions

  • Update Google Chrome to version 149.0.7827.103 or later.
  • Be cautious when opening PDF files from untrusted sources, even in a sandboxed environment.

Evidence notes

This vulnerability was published on [resourceLinkAnnotations:cve-org] and detailed further on [resourceLinkAnnotations:nvd]. Additional information can be found in the vendor advisory at [resourceLinkAnnotations:ref-4].

Official resources

CVE-2026-11670 was published on 2026-06-09T00:16:50.220Z and last modified on 2026-06-09T14:53:48.220Z.