Cyber Posture

CVE-2026-2648

High

Published: 18 February 2026

Published
18 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2648 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely application of vendor patches to remediate the specific heap buffer overflow in PDFium, directly preventing exploitation via crafted PDF files.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms like ASLR, DEP, and heap hardening to block out-of-bounds memory writes from heap buffer overflows.

SC-39 Process Isolation partial match
prevent

Enforces process isolation for the PDFium renderer, containing potential code execution from the buffer overflow within a sandbox to limit system compromise.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Heap buffer overflow in PDFium (client-side PDF renderer) directly enables arbitrary code execution when a crafted PDF is opened in Chrome, mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High)

Deeper analysisAI

CVE-2026-2648 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the PDFium component in Google Chrome versions prior to 145.0.7632.109. Published on 2026-02-18, it enables a remote attacker to perform an out-of-bounds memory write through a specially crafted PDF file. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security.

A remote attacker without privileges can exploit this vulnerability over the network with low complexity by convincing a user to open a malicious PDF file in an affected Chrome browser, requiring user interaction. Successful exploitation allows high-impact consequences across confidentiality, integrity, and availability, such as potential arbitrary code execution via the out-of-bounds memory write.

Google addressed the vulnerability in Chrome version 145.0.7632.109. Official advisories include the Chrome Releases stable channel update at https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_18.html and the Chromium issue tracker entry at https://issues.chromium.org/issues/477033835.

Details

CWE(s)
CWE-122

Affected Products

google
chrome
≤ 145.0.7632.109

CVEs Like This One

CVE-2025-0999Same product: Google Chrome
CVE-2025-1426Same product: Google Chrome
CVE-2025-0434Same product: Google Chrome
CVE-2025-0611Same product: Google Chrome
CVE-2026-6361Same product: Google Chrome
CVE-2026-2650Same product: Google Chrome
CVE-2025-0762Same product: Google Chrome
CVE-2025-0997Same product: Google Chrome
CVE-2026-6315Same product: Google Chrome
CVE-2025-1916Same product: Google Chrome

References