Description
Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read and write in the Blink InterestGroups component of Google Chrome. An attacker can deliver a crafted HTML page that forces the browser to access memory beyond allocation, allowing the attacker to read sensitive data and write arbitrary values, thereby executing arbitrary code in the context of the user’s browser. This flaw is classified as critical depth and is a classic out‑of‑bounds memory corruption (CWE‑125).

Affected Systems

All installations of Google Chrome versions earlier than 149.0.7827.197 are affected. No other vendors or products are listed. The vulnerability is limited to the Chrome desktop browser.

Risk and Exploitability

The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog. Nonetheless, the flaw is remotely exploitable via a crafted web page, requiring only that the victim opens a malicious URL or loads a page containing malicious InterestGroups code. Attackers can gain full control of the victim’s browser process, compromising confidentiality, integrity, and availability of the user session.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google Chrome to version 149.0.7827.197 or later as provided in the latest stable release.
  • If an upgrade is not immediately feasible, employ browser settings or extensions to block third‑party interest groups and other potentially malicious web content that could trigger the flaw.
  • As a temporary measure, disable the InterestGroups feature by launching Chrome with the flag "--disable-blink-features=InterestGroups" or by setting the corresponding flag in the browser’s experimental features page.

Generated by OpenCVE AI on June 24, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Chrome Blink InterestGroups Out‑of‑Bounds Read/Write Enabling Arbitrary Code Execution

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description Out of bounds read and write in Blink>InterestGroups in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Weaknesses CWE-125
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-06-24T19:25:04.288Z

Reserved: 2026-06-23T17:14:11.742Z

Link: CVE-2026-13033

cve-icon Vulnrichment

Updated: 2026-06-24T19:24:54.927Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses