PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6306 Google CVE debrief

A heap buffer overflow vulnerability in PDFium, the PDF rendering engine used by Google Chrome, allows remote code execution via crafted PDF files. The vulnerability affects Chrome versions prior to 147.0.7727.101 and carries a High severity rating from the Chromium security team. The CVSS 3.1 score of 8.8 reflects network attack vector, low attack complexity, no privileges required, and high impacts to confidentiality, integrity, and availability. The flaw requires user interaction (opening a malicious PDF). The CPE configuration indicates the vulnerable product is Google Chrome, with non-vulnerable platforms including macOS, Linux, and Windows listed as separate CPE entries. The vendor field shows Apple with medium confidence based on NVD CPE data, though this appears to be a data association artifact rather than accurate vendor attribution—the Chrome release notes and Chromium issue tracker confirm Google as the responsible vendor. No KEV listing exists for this vulnerability. The CWE classification is CWE-122 (Heap-based Buffer Overflow).

Vendor
Google
Product
Chrome
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-05-26
Advisory published
2026-04-15
Advisory updated
2026-05-26

Who should care

Organizations with unmanaged Chrome installations, enterprises relying on Chrome for PDF viewing, security teams tracking browser-based attack vectors, and incident responders investigating suspicious PDF-related Chrome crashes

Technical summary

The vulnerability exists in PDFium, Chrome's open-source PDF rendering library. A heap buffer overflow can be triggered when processing a malformed PDF document, potentially leading to arbitrary code execution within the Chrome sandbox. The attack requires convincing a user to open a malicious PDF file in Chrome. The sandbox containment limits but does not eliminate the security risk. The fix was released in Chrome 147.0.7727.101 on April 15, 2026.

Defensive priority

high

Recommended defensive actions

  • Update Google Chrome to version 147.0.7727.101 or later to address the heap buffer overflow in PDFium
  • Configure Chrome to open PDFs in external applications rather than the built-in PDF viewer as a temporary risk reduction measure
  • Enable site isolation and sandboxing features which may limit exploit impact
  • Monitor for unusual Chrome child processes or unexpected PDF rendering behavior as potential exploitation indicators
  • Review and restrict PDF attachments in email gateways and web proxies pending endpoint updates

Evidence notes

Primary sources: Chrome Release Notes (ref-4) and Chromium issue tracker (ref-5). CVSS vector and CPE data from NVD source item. Vendor field shows Apple with medium confidence from NVD CPE, but this contradicts the actual affected product (Google Chrome) per official Chrome security sources.

Official resources

2026-04-15