HIGH 8.8

CVE-2026-11673: Chrome Use-After-Free RCE in InterestGroups—Patch Guidance

A use-after-free vulnerability in Google Chrome's InterestGroups feature allows attackers to execute arbitrary code within the browser's sandbox by tricking users into visiting a malicious webpage. The vulnerability affects Chrome versions prior to 149.0.7827.103 and can be exploited without requiring user privileges beyond normal web browsing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11673 is a use-after-free vulnerability (CWE-416) in the InterestGroups subsystem of Google Chrome. The flaw permits remote code execution within the Chrome sandbox through specially crafted HTML content. The vulnerability requires user interaction—specifically, visiting a compromised or attacker-controlled webpage—but no elevated privileges. The attack surface is the browser's rendering and interest-based ad targeting mechanisms, which are active during normal browsing. Successful exploitation results in arbitrary code execution bounded by the sandbox security model.

Business impact

Organizations where employees browse the web using affected Chrome versions face direct risk of endpoint compromise. Attackers could establish persistent footholds, exfiltrate data, or pivot to internal networks. The requirement for user interaction (visiting a malicious site) means phishing campaigns, watering hole attacks, or compromised legitimate websites become delivery mechanisms. For enterprises relying on Chrome as the standard browser, this represents a significant attack vector until patching is complete.

Affected systems

Google Chrome versions prior to 149.0.7827.103 are vulnerable. The vulnerability impacts Chrome running on Windows, macOS, and Linux systems. While the description lists these operating systems, the actual vulnerability resides in the Chrome browser itself; all three platforms running affected Chrome versions are at risk.

Exploitability

Exploitability is high. The attack requires only network access and user interaction (convincing a user to visit a malicious site), both of which are easily achievable at scale. No special configuration, authentication, or privilege escalation is needed. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U) reflects this: network-accessible, low complexity, and requiring only end-user action. While not yet listed on CISA's Known Exploited Vulnerabilities catalog, the straightforward attack requirements and high severity make this an attractive target for threat actors.

Remediation

Update Google Chrome to version 149.0.7827.103 or later. Verify the current version in Chrome Settings > About Chrome, which will automatically check for and install updates. Organizations should prioritize Chrome deployments in phased updates, beginning with high-risk user populations (executives, developers, finance teams). Consider implementing browser policies to enforce automatic updates and restrict access to older versions where feasible.

Patch guidance

Google Chrome auto-updates by default; users should ensure they are not delaying or deferring updates. Verify successful patching by navigating to chrome://settings/help, which displays the current version. For managed deployments, administrators should push version 149.0.7827.103 or later through their management tools. No workarounds exist for unpatched instances other than avoiding untrusted websites or using alternative browsers temporarily. Test the patch in non-production environments if using specialized Chrome configurations (e.g., kiosk mode, enterprise extensions).

Detection guidance

Monitor Chrome version inventory across endpoints to identify systems running versions prior to 149.0.7827.103. Flag any Chrome process crashes or unexpected subprocess spawning as potential exploitation attempts. Log or alert on network traffic to known malicious domains that might host exploitation payloads. Endpoint Detection and Response (EDR) solutions should track suspicious code execution originating from Chrome sandbox processes. Review browser history and DNS queries for suspicious navigation patterns that might precede exploitation attempts.

Why prioritize this

This vulnerability merits urgent attention due to its high CVSS score (8.8), straightforward attack vector (network, low complexity, user interaction), and broad reach (Chrome is ubiquitous in enterprise environments). While not yet on the KEV catalog, the low barrier to exploitation and potential for widespread distribution through phishing or malicious ads means rapid threat actor adoption is likely. The sandbox containment reduces but does not eliminate risk, particularly for targeted attacks.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: network-based attack vector with no special access required (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and user interaction as the only prerequisite (UI:R). The impact severity is high across confidentiality, integrity, and availability (C:H/I:H/A:H) because arbitrary code execution, even in a sandbox, can exfiltrate sensitive data, corrupt local files, or cause denial of service. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. Organizations should treat this as a critical near-term risk.

Frequently asked questions

What is an 'InterestGroups' feature and why does it matter for security?

InterestGroups is part of Google's Privacy Sandbox initiative, intended to enable interest-based advertising without third-party cookies. It processes and stores user interest data within the browser. A vulnerability here is particularly sensitive because it touches both ad targeting infrastructure and user privacy data, and it runs with browser privileges.

Does the sandbox protect me if I visit a malicious site?

Chrome's sandbox provides containment—code executed within it cannot directly access files or system resources outside the browser process. However, a skilled attacker can still exfiltrate data from the browser's memory, steal credentials, or chain this vulnerability with OS-level exploits to escape the sandbox. The sandbox reduces risk but does not eliminate it.

Is this vulnerability being actively exploited in the wild?

As of the advisory date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed in-the-wild exploitation has been publicly documented. However, the ease of exploitation and high severity mean threat actors are likely to develop and deploy exploits rapidly after public disclosure.

If I'm on macOS or Linux, should I still prioritize this patch?

Yes. The vulnerability affects Chrome across all operating systems. macOS and Linux users often represent high-value targets (developers, security researchers, etc.), making them attractive targets for watering hole attacks that exploit this flaw.

This analysis is based on publicly available vulnerability data and vendor advisories as of the modification date. SEC.co makes no guarantee regarding exploit availability, active exploitation, or specific attack campaigns. Organizations should verify patch applicability in their environment and consult vendor documentation before deployment. The CVSS score and severity ratings are as supplied by the vendor and the CVE record; prioritization should also account for asset criticality and exposure in your specific environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).