Google rolled out an urgent security update for Chrome on June 30, 2026, patching a dangerous use-after-free flaw in the browser's PDF rendering engine that could let attackers hijack a computer simply by tricking a user into opening a malicious PDF. The fix arrives in Chrome version 150.0.7871.47 for Windows, Mac, and Linux, and every user should apply it immediately.

The Fix: Chrome 150.0.7871.47 Closes a Dangerous Use-After-Free

The vulnerability, tracked as CVE-2026-14108, resides in PDFium—the open-source library Chrome uses to display PDF files without needing Adobe Reader or other plugins. A use-after-free bug means that the software tries to access memory that has already been released. An attacker can carefully craft a PDF that, when loaded in Chrome, triggers this memory management error, potentially letting them run arbitrary code on the victim's machine.

Google’s advisory marks this as a Low severity flaw, but that label can be misleading. The Common Vulnerability Scoring System (CVSS) often rates bugs that require user interaction (like opening a file) lower, yet PDFs are one of the most common file types on the web. A malicious PDF can be hosted on a seemingly legitimate website, sent via email, or even embedded in an ad—meaning the attack surface is enormous. Security researchers often consider such bugs high risk because of how easily they can be exploited in the real world.

The new Chrome build (150.0.7871.47) is now rolling out via the built-in update system. The bug affected all Chrome desktop versions prior to this release. Google did not disclose the name of the researcher who reported the flaw, but credited the discovery to an external security contributor.

Who's Affected and What's at Stake

If you're a regular Chrome user on Windows, Mac, or Linux, this update will be installed automatically over the coming days. But you should not wait—active exploitation is possible even if Google hasn’t confirmed any public attacks yet. The consequences of a successful exploit are severe: an attacker could install malware, steal sensitive data, or take complete control of your PC.

For IT administrators and enterprise security teams, this is a patch-me-now situation. Use-after-free vulnerabilities in widely-used components like PDFium are particularly dangerous because a single crafted PDF sent to an employee’s inbox could compromise an entire corporate network. Google Chrome Enterprise policies and group policy objects (GPOs) for Windows should be updated to ensure all managed browsers receive the fix without delay.

Developers who embed PDFium directly in their own applications should check whether their build integrates this patch and update accordingly—though this is less common for most business software.

Mobile Chrome (Android, iOS) was not mentioned in this advisory, so it likely runs a different PDFium version or pipeline and is not affected.

How Chrome's PDF Engine Became a Prime Target

PDFium hasn’t had a spotless security record. Over the past few years, the library has been the source of multiple critical vulnerabilities. In 2024, two remote code execution bugs in PDFium were patched in quick succession, and in 2025, three more high-severity flaws were fixed, one of which earned a researcher a $75,000 bounty under Google’s Vulnerability Reward Program. Attackers target PDF engines because the file format is complex, with support for JavaScript, embedded fonts, and media—all of which expand the attack surface.

Chrome introduced its own bundled PDF viewer in 2011, replacing the need for Adobe’s plugin. That shift dramatically reduced exploit traffic via Adobe Reader flaws, but it also meant PDFium became a high-value target for browser exploits. The sandbox that isolates PDFium from the rest of the system helps contain damage, but sandbox escapes are not impossible, especially when chained with another privilege escalation bug.

This latest fix, CVE-2026-14108, is the third security patch in Chrome 150’s first stable channel update, indicating that Google is still actively hardening its browser against memory corruption attacks. The rapid patching cycle—Chrome now updates every four weeks—means that such flaws are rarely left open for long once discovered, but zero-day exploitation before a patch is always a fear.

Immediate Steps to Protect Yourself and Your Organization

For home users

  1. Check your Chrome version now. Click the three-dot menu > Help > About Google Chrome. The page will show the current version and start an update check. If you’re not on 150.0.7871.47 or higher, let it download and install.
  2. Restart Chrome. The browser must restart to apply the update. Save your work, then click the “Relaunch” button.
  3. Be picky about PDFs. Even after updating, avoid opening PDFs from unknown sources. If a website unexpectedly downloads a PDF, delete it. Enable “Ask where to save each file before downloading” in Chrome Settings > Downloads.

For enterprise IT

  • Push the update through your management console. Use Google Chrome Enterprise policies to force installation of version 150.0.7871.47. For Windows domains, verify that the GPO “Update policy override default” is set to “Always allow updates” and consider using the “Target version override” to expedite rollouts.
  • Audit PDF handling. Consider blocking automatic PDF opening via GPO (set “Always Open PDF files externally” if needed) until all endpoints are patched, though this may disrupt user workflows.
  • Monitor threat feeds. Watch for any intelligence indicating active exploitation of CVE-2026-14108. Google’s own security blog and Twitter handles often hint at in-the-wild attacks.

Quick version reference

Platform Affected versions Fixed version
Windows, Mac, Linux Chrome < 150.0.7871.47 150.0.7871.47
Android / iOS Not affected (as per advisory) N/A

Looking Ahead: PDF-Based Threats Are Here to Stay

PDFs will remain a core part of business and personal communication, and that means attackers will keep probing PDF rendering engines for weaknesses. Google has invested heavily in memory safety, with projects like using Rust in new code and deploying hardware-enforced mitigations, but a complete rewrite of PDFium may be unlikely given its massive codebase.

Expect more zero-day reports and under-the-hood hardening in future Chrome releases. Until then, the single best defense is to keep Chrome up to date and treat every unexpected PDF with suspicion. This CVE may carry a “low” rating on paper, but the risk of ignoring it is anything but.