Unrated

Out-of-Bounds Read in Google Chrome Blink InterestGroups

IdentifiersCVE-2026-13033CWE-125

CVE-2026-13033 is a Critical memory-safety vulnerability in the Blink InterestGroups component of Google Chrome, part of the Privacy Sandbox / Protected Audience (FLEDGE) advertising auction functionality. The issue is described as an out-of-bounds read, and the primary description also states out-of-bounds read and write, in Chrome versions prior to 149.0.7827.197. A remote attacker can trigger the flaw via a crafted HTML page. Available reporting indicates the bug can cause access to memory outside intended bounds in Blink>InterestGroups, potentially exposing adjacent memory contents and, per the vendor description, enabling arbitrary code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may allow a remote attacker to execute arbitrary code in the context of the affected Chrome process by luring a target to a crafted HTML page. Supporting reporting also indicates the flaw can leak adjacent memory contents, so impact may include information disclosure in addition to code-execution outcomes. More generally, exploitation of the vulnerable renderer component could lead to browser compromise and potentially further post-exploitation depending on available sandbox escape or chaining opportunities.

Mitigation

If you can’t patch tonight, do this now.

Apply vendor patches immediately. Until patching is complete, reduce exposure by limiting use of untrusted web content, restricting access to potentially malicious sites, and prioritizing updates for all Chromium-based products in the environment. Monitor for renderer instability or crashes involving Blink/InterestGroups as a possible signal of attempted exploitation. No specific workaround short of updating was provided in the cited advisories.

Remediation

Patch, then assume compromise.

Update Google Chrome to version 149.0.7827.197 or later on affected platforms, or to the corresponding patched Chromium build provided by downstream vendors. Debian specifically advises upgrading chromium to 149.0.7827.196-1~deb13u1 or later patched package versions. Chromium-based browsers and applications should be updated once vendor patches are available.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DebianChromiumapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cyber security newsNews

Jun 25, 2026

Chrome 149 Security Update - Patch for Critical Flaws that Enable Code Execution Attacks

A critical out-of-bounds read vulnerability in Blink's InterestGroups component in Chrome.

cyberthroneNews

Jun 25, 2026

Google Chrome 149 Security Update: 18 Vulnerabilities Patched - TheCyberThrone

A critical out-of-bounds read vulnerability in Blink's InterestGroups component that can leak adjacent memory contents to a malicious page.

chrome releases blogNews

Jun 23, 2026

Chrome Releases: Stable Channel Update for Desktop

A critical out-of-bounds read vulnerability in Chrome Blink InterestGroups.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-13033

NVD

nvd.nist.gov/vuln/detail/CVE-2026-13033

MITRE CWE · CWE-125

cwe.mitre.org