Google has released Chrome version 150.0.7871.46 for Windows, Mac, and Linux, closing a medium-severity vulnerability in the browser’s built-in PDF renderer that could allow attackers to deceive users with manipulated interface elements.
This update, currently rolling out through Chrome’s automatic update mechanism, addresses CVE-2026-14404, a flaw in the PDFium library that processes PDF documents inside the browser. The fix follows standard Chrome release cycles but demands immediate attention from anyone who routinely opens PDFs from email, messaging apps, or the web.
A crafted PDF that lies to your screen
CVE-2026-14404 lives inside Chrome’s PDF viewer, the same component that opens invoices, tickets, and e-books without requiring a separate application. Google’s advisory describes the issue as an “inappropriate implementation in PDFium” that could let a remote attacker “craft a PDF file that spoofs the browser UI.” In practical terms, a malicious PDF can draw fake address bars, fake popups, or fake security indicators that look indistinguishable from Chrome’s own chrome.
The danger isn’t in the PDF itself crashing your computer—Chrome’s sandbox prevents that. The danger is that a convincingly faked dialog box or login prompt could trick you into handing over a password, clicking a disguised download button, or accepting permissions you’d normally reject. A moment of distraction with what looks like a routine document is all an attacker needs.
Google has rated the flaw as medium severity, a label that reflects the technical complexity of exploitation rather than the potential fallout if successful. To pull this off, an attacker would need to deliver the crafted PDF via a link or attachment and then time their social engineering so precisely that the user doesn’t notice the ruse. But because PDFs are so common in business, education, and government workflows, the attack surface is enormous.
What this means for home users
If you use Chrome on a personal Windows PC, the fix is already on its way. Chrome updates itself silently in the background most of the time. However, if you leave the browser running for days or weeks without restarting, you might still be vulnerable. The version that contains the patch is 150.0.7871.46. You can confirm you’re protected by typing chrome://version into the address bar and looking at the top line.
For everyday browsing, the risk is low if you don’t open PDFs from untrusted sources. But “untrusted” is a fuzzy concept when PDFs arrive via legitimate-looking services. Think of the fake shipping notice with a PDF attachment, or the too-good-to-be-true invoice that lands in your inbox. Chrome’s PDF viewer opens those files immediately when you click a link, often without an obvious download step. That instant rendering is exactly where the spoofing attack can fire.
Until your Chrome gets updated, exercise extra caution with any PDF link you weren’t expecting. When in doubt, save the file and scan it with your desktop antivirus before opening, or use a dedicated PDF reader like Adobe Acrobat, which isn’t affected by this Chrome-specific bug.
What this means for IT administrators
If you manage Windows fleets with Chrome installed, this CVE should accelerate your next patch cycle. While medium severity rarely triggers emergency deployment, two factors argue for speed: the pervasiveness of PDF-based phishing and the ease with which a spoofed UI can fool even trained staff.
Chrome’s group policy templates let you force an update prompt or block the browser until the latest version is installed. Consider pushing the update through your software distribution tool during the next maintenance window. If you use Google Update policies, check that auto-update check intervals haven’t been stretched too wide—the default 5-hour check should catch the release, but custom configurations can create gaps.
Also audit any legacy Chrome installations. Chrome 150 will be the final major version for some older operating systems; if you’re still running Windows 7 or 8.1, you’ll need to migrate immediately, as the browser will stop receiving security patches. The PDFium fix applies only to Chrome 150, so older versions remain vulnerable indefinitely.
For enterprises that rely on Chromium-based alternatives, the picture varies. Microsoft Edge uses its own PDF engine built on Adobe Acrobat technology and is not affected by CVE-2026-14404. Brave, Opera, and Vivaldi, which track Chromium closely, will absorb the fix shortly after it appears in the Chromium source. Check those vendors’ release notes for timing.
How we got here
Chrome has included a built-in PDF viewer since 2010, when it integrated the PDFium project. PDFium was originally developed by Foxit Software and later open-sourced. It replaced Adobe’s NPAPI plug-in, giving Chrome a sandboxed, always-available PDF renderer. That sandbox means that even if a bug allows code execution, the attacker is contained within a restricted environment that can’t read your files or spy on your keystrokes.
But UI spoofing sidesteps the sandbox entirely because it doesn’t require code execution—it merely displays misleading visual elements in the browser window. Chrome’s security model assumes the browser’s trusted user interface (the address bar, permission prompts, and page-info bubbles) cannot be imitated by content. PDFium flaws that break that assumption have surfaced before. In 2020, CVE-2020-6508 allowed a crafted PDF to show a fake URL in the address bar. Two years later, CVE-2022-0971 revealed similar UI confusion. Each time, the fix involved tightening the rules about what a PDF can draw and where it can draw it.
CVE-2026-14404 is the latest installment in this running battle. The Chromium team disclosed it on the same day the stable channel update shipped, a practice that indicates the vulnerability wasn’t known to be under active exploitation at the time of release. Google doesn’t publicly share technical details until a majority of users have updated, so the deep mechanics of the spoof remain behind a limited-access bug tracker.
What you should do right now
-
Update Chrome manually — Even if you have auto-update turned on, you can force the process. Click the three-dot menu at top right, choose Help, then About Google Chrome. The page that opens will show the current version and immediately start downloading the update if one is pending. Once it displays version 150.0.7871.46, click Relaunch.
-
Verify the version — Type
chrome://versioninto the address bar. The first line must readGoogle Chrome 150.0.7871.46 (Official Build) (64-bit)(or similar for 32-bit/ARM). If it shows anything lower, repeat step one or download the installer from google.com/chrome. -
Enable enhanced safe browsing — While not a direct patch for this CVE, Chrome’s Enhanced Safe Browsing mode sends suspicious documents to Google for real-time scanning. Go to Settings → Privacy and security → Security and turn on Enhanced protection. This feature can catch some malicious PDFs before they render.
-
Adjust PDF behavior — If you want an extra layer until the patch is confirmed, you can change how Chrome handles PDFs. In Settings → Privacy and security → Site Settings → Additional content settings → PDF documents, toggle off “Open PDFs in Chrome.” This forces downloaded PDFs to open in your system’s default PDF reader instead of Chrome’s built-in viewer. Just remember that downloaded files will still sit in your Downloads folder, so don’t open them unless you trust the source.
-
For enterprise admins — Use your management console to force an update. For Windows environments using Google Update, the command
GoogleUpdate.exe /installtriggered by a scheduled task will fetch the latest release. Group Policy users should verify that “Update policy override” is not set to disable auto-updates entirely.
The broader outlook
Chrome 150 is a milestone release that also brings performance and UI refinements beyond security, but this PDFium fix is its most urgent payload. Expect Google to publish further technical details in the coming weeks once the majority of the user base is patched, at which point proof-of-concept code may appear. That window between disclosure and widespread update is when attackers most often weaponize published research—another reason to update promptly rather than waiting.
Looking ahead, the PDF attack surface continues to grow. As browsers become the default document viewers for millions of users, every rendering quirk becomes a potential social engineering channel. Google’s ongoing investment in PDFium security is a quiet cat-and-mouse game that rarely makes headlines except when a new CVE appears. For Windows users, the takeaway is simple: let Chrome stay current, and treat any document you open—regardless of how it looks—with the same caution you’d give an executable file.