CVE-2026-2648 — Heap-based Buffer Overflow in Google Chrome

CWE-122 — Heap-based Buffer Overflow CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains10 documents10 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 89.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium

Timeline

PublishedFeb 18

Latest updateMar 17

Description

Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5google/chrome145.0.7632.109 — 145.0.7632.109

▶NVDgoogle/chrome< 145.0.7632.109

▶Debianchromium/chromium< 145.0.7632.109-1~deb12u3+2

🔴Vulnerability Details

GHSA

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS↗2026-03-17

▶

GHSA

GHSA-4g6v-jhwq-9xjj: Heap buffer overflow in PDFium in Google Chrome prior to 145↗2026-02-19

▶

OSV

CVE-2026-2648: Heap buffer overflow in PDFium in Google Chrome prior to 145↗2026-02-18

▶

CVEList

CVE-2026-2648: Heap buffer overflow in PDFium in Google Chrome prior to 145↗2026-02-18

▶

📋Vendor Advisories

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2026-2648↗2026-02-26

▶

Red Hat

chromium-browser: Heap buffer overflow in PDFium↗2026-02-18

▶

Microsoft

Chromium: CVE-2026-2648 Heap buffer overflow in PDFium↗2026-02-10

▶

Debian

CVE-2026-2648: chromium - Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2648 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶