Description
Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: 2026-06-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Google Chrome’s InterestGroups implementation permits an attacker to execute arbitrary code inside the browser’s sandbox when a crafted HTML page is opened. The vulnerability exists in Chrome versions prior to 149.0.7827.103 and is classified as high severity. It does not allow direct access outside the sandbox, but it does enable arbitrary code to run with the privileges of the browser process.

Affected Systems

All users running Google Chrome for desktop on any supported operating system with a version earlier than 149.0.7827.103 are affected. The vulnerability is present in the Chromium source used to build the stable channel of Chrome.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of <1% indicates a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a malicious HTML page to a user, after which the use‑after‑free can be triggered to run code within the browser sandbox.

Generated by OpenCVE AI on June 11, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 149.0.7827.103 or later on all affected systems.
  • Ensure that the operating system and desktop environment receive and apply any necessary updates that are required to support the newer Chrome version.
  • Implement or enforce web filtering or site‑blocking controls to restrict access to sites that may host malicious HTML content until the browser update is applied.

Generated by OpenCVE AI on June 11, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6337-1 chromium security update
History

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Use after free in InterestGroups
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 09 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 09 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in InterestGroups Exploitable via Crafted HTML Page

Tue, 09 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in InterestGroups Exploitable via Crafted HTML Page
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Mon, 08 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Weaknesses CWE-416
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-09T03:55:46.063Z

Reserved: 2026-06-08T21:33:48.381Z

Link: CVE-2026-11673

cve-icon Vulnrichment

Updated: 2026-06-09T01:02:53.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T00:16:50.553

Modified: 2026-06-09T14:54:06.580

Link: CVE-2026-11673

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-11673 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:45:03Z

Weaknesses