Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15133

CVE-2026-15133: Google Chrome Use-After-Free Vulnerability

CVE-2026-15133 is a use-after-free vulnerability in Google Chrome's InterestGroups that enables remote code execution within a sandbox via malicious HTML pages. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15133 Overview

CVE-2026-15133 is a use-after-free vulnerability in the InterestGroups component of Google Chrome versions prior to 150.0.7871.115. The flaw allows a remote attacker to execute arbitrary code inside the Chrome renderer sandbox by serving a crafted HTML page to a targeted user. Google classified the Chromium security severity as High, and the issue is tracked under [CWE-416: Use After Free].

The InterestGroups API is part of Chrome's Privacy Sandbox and supports on-device ad auctions through the Protected Audience API. Exploitation requires user interaction, typically loading a malicious page, but no authentication or elevated privileges.

Critical Impact

Remote attackers can execute arbitrary code inside the Chrome renderer sandbox by luring a user to a crafted HTML page.

Affected Products

  • Google Chrome Desktop versions prior to 150.0.7871.115
  • Chromium-based browsers incorporating the vulnerable InterestGroups implementation
  • Downstream distributions until rebased on the patched Chromium branch

Discovery Timeline

  • 2026-07-08 - CVE-2026-15133 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15133

Vulnerability Analysis

The defect resides in the InterestGroups subsystem, which manages persistent per-origin data used by Chrome's Protected Audience ad auction API. A use-after-free condition occurs when the browser continues to reference an object after its backing memory has been released. An attacker who influences the lifetime of that object can substitute controlled data into the freed slot, then drive the dangling pointer into a write or virtual call site.

Successful exploitation yields arbitrary code execution within the renderer process. The renderer sandbox constrains that execution, so an attacker typically pairs this bug with a sandbox escape to reach the host operating system. The advisory notes that user interaction is required, meaning the victim must navigate to attacker-controlled content or a compromised site.

Root Cause

The root cause is improper object lifetime management in the InterestGroups code path. A reference to a heap-allocated object outlives its owning scope, and subsequent operations dereference the stale pointer. This class of defect is common in browser engines that mix asynchronous callbacks with reference-counted or raw-owned C++ objects.

Attack Vector

A remote attacker hosts a crafted HTML page that invokes Protected Audience APIs in an order that triggers premature deallocation of an InterestGroups object. Delivery methods include phishing links, malicious advertisements, and compromised sites. No prior authentication is required, but the target must load the page. See the Chromium Issue Tracker Entry and the Google Chrome Desktop Update for vendor-provided technical context.

No public proof-of-concept code is available at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-15133

Indicators of Compromise

  • Chrome renderer processes crashing with signatures referencing InterestGroups, AdAuction, or heap-use-after-free faults
  • Unexpected child processes spawned from chrome.exe following browser navigation to untrusted domains
  • Outbound connections from browser processes to newly registered or low-reputation domains hosting ad-auction script

Detection Strategies

  • Monitor endpoint telemetry for anomalous process creation and memory access patterns originating from Chrome renderer processes
  • Correlate browser crash reports referencing InterestGroups with subsequent suspicious activity on the same host
  • Inspect proxy and DNS logs for user navigation to domains that invoke Protected Audience APIs from uncommon origins

Monitoring Recommendations

  • Track Chrome version inventory across managed endpoints and alert on hosts running builds below 150.0.7871.115
  • Enable enterprise reporting for Chrome crash and security events through the Chrome Enterprise policy set
  • Review web filtering logs for exposure to malvertising networks, a common delivery channel for browser exploits

How to Mitigate CVE-2026-15133

Immediate Actions Required

  • Update Google Chrome to version 150.0.7871.115 or later on all managed endpoints
  • Restart Chrome after the update completes so the patched binary loads in memory
  • Audit Chromium-based browsers such as Edge, Brave, and Opera and apply their corresponding upstream-patched releases

Patch Information

Google addressed the vulnerability in Chrome Stable 150.0.7871.115. Details are available in the Google Chrome Desktop Update and the Chromium Issue Tracker Entry. Enterprise administrators should push the update via Chrome Browser Enterprise or their standard software distribution tooling.

Workarounds

  • Restrict browsing to trusted destinations using web filtering until patching completes
  • Disable the Protected Audience API through the PrivacySandboxAdsAPIsEnabled enterprise policy where business use cases permit
  • Deploy site isolation and enforce SitePerProcess policy to reduce the impact of renderer compromise
bash
# Configuration example: enforce Chrome update and disable Privacy Sandbox APIs via enterprise policy (Linux managed policies)
cat >/etc/opt/chrome/policies/managed/cve-2026-15133.json <<'EOF'
{
  "TargetVersionPrefix": "150.0.7871.115",
  "ComponentUpdatesEnabled": true,
  "PrivacySandboxAdsAPIsEnabled": false,
  "SitePerProcess": true
}
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.