Description
Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read and write in the Blink InterestGroups component of Google Chrome. An attacker can deliver a crafted HTML page that forces the browser to access memory beyond allocation, allowing the attacker to read sensitive data and write arbitrary values, thereby executing arbitrary code. The issue involves both a buffer underread (CWE‑125) and a buffer out‑of‑bounds write (CWE‑787), making it a critical memory corruption flaw.

Affected Systems

All installations of Google Chrome versions earlier than 149.0.7827.197 are affected. No other vendors or products are listed. The vulnerability is limited to the Chrome desktop browser.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, yet the EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. It can be exploited remotely via a crafted web page, requiring only that the victim opens a malicious URL or loads a page containing malicious InterestGroups code. Attackers can gain full control of the victim’s browser process, compromising confidentiality, integrity, and availability of the user session.

Generated by OpenCVE AI on June 24, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.197 or later as provided in the latest stable release.
  • If an upgrade is not immediately feasible, employ browser settings or extensions to block third‑party interest groups and other potentially malicious web content that could trigger the flaw.
  • As a temporary measure, disable the InterestGroups feature by launching Chrome with the flag "--disable-blink-features=InterestGroups" or by setting the corresponding flag in the browser’s experimental features page.

Generated by OpenCVE AI on June 24, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4654-1 chromium security update
Debian DSA Debian DSA DSA-6364-1 chromium security update
History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: chromium-browser: Out of bounds read in Blink>InterestGroups
References
Metrics threat_severity

None

threat_severity

Critical


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Chrome Blink InterestGroups Out‑of‑Bounds Read/Write Enabling Arbitrary Code Execution

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Chrome Blink InterestGroups Out‑of‑Bounds Read/Write Enabling Arbitrary Code Execution

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-125
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-25T03:55:37.073Z

Reserved: 2026-06-23T17:14:11.742Z

Link: CVE-2026-13033

cve-icon Vulnrichment

Updated: 2026-06-24T19:24:54.927Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Critical

Publid Date: 2026-06-24T18:43:13Z

Links: CVE-2026-13033 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:00:05Z

Weaknesses