Introduction
A heap buffer overflow in Google Chrome's built in PDF rendering engine allows a remote attacker to execute arbitrary code inside the browser sandbox on Windows systems, requiring only that a user open a crafted PDF and perform certain UI gestures. With Chrome holding roughly 69 percent of the global browser market, CVE-2026-6361 represents a significant attack surface even though exploitation is contained within the sandbox boundary.
Technical Information
The vulnerability resides in PDFium, the PDF rendering engine embedded in Google Chrome. It is classified as CWE-122: Heap based Buffer Overflow. A heap buffer overflow occurs when a program writes data beyond the boundaries of a dynamically allocated memory region on the heap, potentially corrupting adjacent memory structures such as heap metadata, object pointers, or vtable entries.
Root Cause
During the processing of a specially crafted PDF file, PDFium writes more data to a heap allocated buffer than the buffer was sized to hold. The specific code path and triggering condition have not been publicly disclosed; Google restricts access to the Chromium issue tracker entry (Issue 500036290) until a majority of users have updated to the patched version.
Attack Flow
The exploitation chain proceeds as follows:
-
Delivery: A remote attacker crafts a malicious PDF file designed to trigger the heap buffer overflow in PDFium. This file can be delivered via email attachment, a link to a web hosted PDF, or any other mechanism that results in Chrome rendering the document.
-
User Interaction: The target user opens the PDF in Google Chrome on a Windows system. The user must then engage in specific UI gestures. The exact nature of these gestures has not been disclosed, but they are a required precondition for triggering the overflow.
-
Memory Corruption: The crafted PDF causes PDFium to write beyond the allocated heap buffer, corrupting adjacent heap memory. Depending on the heap layout, this can overwrite function pointers, object metadata, or other control structures.
-
Code Execution: The attacker leverages the corrupted memory state to redirect execution flow, achieving arbitrary code execution within the Chrome renderer process sandbox.
CVSS Vector Inconsistency
One detail worth noting for security teams performing risk assessments: the CVSS 3.1 vector string provided by CISA ADP (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) lists User Interaction as None. This conflicts with the narrative description from the NVD, which explicitly states the attacker must convince a user to engage in specific UI gestures. We recommend treating user interaction as a required component of the attack chain based on the primary vulnerability description.
Sandbox Containment
Successful exploitation results in arbitrary code execution, but this execution is constrained within the Chrome sandbox. The CVSS scoring reflects this containment through a Changed Scope (S:C) designation with Low impacts to both Confidentiality and Integrity, and no impact to Availability. Achieving full system compromise would likely require chaining this vulnerability with a separate sandbox escape flaw. That said, in sandbox code execution still provides meaningful attacker capabilities, including reading renderer process memory and interacting with web content in the context of the compromised tab.
Affected Systems and Versions
The vulnerability affects the following configurations:
| Operating System | Vulnerable Versions | Patched Version |
|---|---|---|
| Windows | Google Chrome prior to 147.0.7727.101 | 147.0.7727.101 or 147.0.7727.102 |
| Mac | Google Chrome prior to 147.0.7727.101 | 147.0.7727.101 or 147.0.7727.102 |
| Linux | Google Chrome prior to 147.0.7727.101 | 147.0.7727.101 |
CVE-2026-6361 is explicitly described as affecting Chrome on Windows. However, the Mac and Linux stable channel updates released alongside this fix contain other critical and high severity patches that should also be deployed promptly.
The fix is bundled with 30 other security patches in the April 15, 2026 stable channel update.
Vendor Security History
Google maintains one of the more mature vulnerability management programs in the industry. The Chromium security team actively works to find and fix security bugs and operates a Vulnerability Rewards Program to incentivize external researchers. The update addressing CVE-2026-6361 includes 31 total security fixes, which is representative of the high volume of continuous security maintenance performed on the Chromium codebase.
Google employs a coordinated disclosure process, keeping bug details private until fixes are widely distributed. Access to the specific issue tracker entry for this vulnerability (Issue 500036290) remains restricted, preventing threat actors from reverse engineering the patch before organizations have time to deploy it.
Chrome's dominant market position (approximately 69 percent global share) means that vulnerabilities in the browser have an outsized impact on the broader security landscape. The following table provides context on browser market share as of early 2026:
| Web Browser | Global Market Share (2026) |
|---|---|
| Google Chrome | ~69% |
| Safari | ~16% |
| Microsoft Edge | ~5% |
| Firefox | ~2% |
