High

Heap Buffer Overflow in PDFium in Google Chrome

IdentifiersCVE-2026-6361CWE-122· Heap-based Buffer Overflow

CVE-2026-6361 is a heap-based buffer overflow in PDFium, Google Chrome’s built-in PDF rendering engine. According to the provided content, while processing a crafted PDF file, PDFium can write more data into a heap-allocated buffer than the buffer was sized to hold, causing adjacent heap memory corruption. The exact vulnerable function or code path has not been publicly disclosed. On Windows, Chrome versions prior to 147.0.7727.101 are described as vulnerable. Successful exploitation requires a remote attacker to deliver a malicious PDF and convince the target to open it in Chrome and perform specific UI gestures. Exploitation can redirect execution flow within the Chrome renderer process and achieve arbitrary code execution inside the browser sandbox.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution within the Chrome renderer sandbox. Because the flaw is a heap corruption issue in PDFium, an attacker may be able to overwrite adjacent heap structures and gain control of execution in the sandboxed browser process. The immediate impact is therefore limited by Chrome’s sandbox, but the attacker could still access renderer-process memory and interact with content in the compromised tab or PDF-rendering context. Full host compromise would likely require chaining this vulnerability with a separate sandbox escape or privilege-escalation vulnerability.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by preventing untrusted or unsolicited PDF files from being opened in Chrome, especially on Windows endpoints. Organizations can restrict or disable in-browser PDF handling where operationally feasible, route PDF opening to more controlled workflows, and use email/web filtering to block or quarantine suspicious PDF attachments and links. Because the attack requires user interaction and specific UI gestures, user-awareness controls and limiting access to attacker-supplied PDFs can reduce exploitability, but these are temporary measures and not substitutes for updating Chrome.

Remediation

Patch, then assume compromise.

Update Google Chrome to a fixed release. The provided content states that patched versions include 147.0.7727.101 or 147.0.7727.102 for Windows and macOS, and 147.0.7727.101 for Linux. On Windows specifically, versions prior to 147.0.7727.101 are identified as vulnerable. Apply the vendor stable-channel update released on 2026-04-15 as part of the bundled Chrome security fixes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

chrome releases blogNews

Apr 15, 2026

Chrome Releases: Stable Channel Update for Desktop

A high-severity heap buffer overflow vulnerability in PDFium in Google Chrome.

zeropath blogNews

Apr 15, 2026

Brief Summary: Google Chrome PDFium Heap Buffer Overflow (CVE-2026-6361) Enables In Sandbox Code Execution on Windows - ZeroPath Blog | ZeroPath

A heap-based buffer overflow in Google Chrome's PDFium PDF rendering engine that can allow remote code execution within the Chrome renderer sandbox when a user opens a crafted PDF and performs specific UI gestures.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-6361

NVD

nvd.nist.gov/vuln/detail/CVE-2026-6361

MITRE CWE · CWE-122

Heap-based Buffer Overflow

Vendor Advisory

chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html

Issue Tracking

issues.chromium.org/issues/500036290