EUVD-2026-35273
GHSA-x6q3-gw4h-79f9
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
AnalysisAI
Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the InterestGroups component, enabling a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page. The vulnerability carries a CVSS 8.8 (High) score and is rated High severity by Chromium, but no public exploit identified at time of analysis and SSVC indicates exploitation status of none. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must use a Chrome build prior to 149.0.7827.103 and must visit or be navigated to an attacker-controlled HTML page (CVSS UI:R confirms required user interaction); the Protected Audience / InterestGroups feature must be reachable, which is the default on stable desktop Chrome but can be turned off via Privacy Sandbox enterprise policies or chrome://flags. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates network-reachable exploitation with low complexity, no privileges, and required user interaction (visiting a page), with high impact across CIA but scope unchanged (code executes inside the sandbox). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts or compromises a website that, when loaded by a victim, invokes the Protected Audience JavaScript APIs in a sequence crafted to trigger the use-after-free in InterestGroups; on the victim's vulnerable Chrome instance, the freed object is reallocated under attacker control and the dangling pointer is dereferenced to redirect execution to attacker shellcode running inside the renderer sandbox. No public exploit identified at time of analysis, and to break out of the sandbox the attacker would need to chain this with a separate sandbox escape vulnerability - typical of modern Chrome exploit chains used by commercial spyware vendors and APTs. |
| Remediation | Vendor-released patch: Google Chrome 149.0.7827.103 - update via Chrome's auto-update mechanism or manually trigger an update through chrome://settings/help and restart the browser, as documented in the Chrome Releases advisory at https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Assess Chrome deployment footprint across the organization and prepare patch rollout plan prioritizing high-risk users (developers, finance, legal). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today