Google fixes actively exploited Chrome zero-day in emergency security update
Google has released a Chrome security update to fix CVE-2026-11645, an actively exploited zero-day vulnerability in the browser’s V8 JavaScript engine. Users and administrators should update Chrome now instead of waiting for the staged automatic rollout.
The Chrome Stable Channel update moves the desktop browser to version 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux. Google says the update includes 74 security fixes.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The exploited flaw is not one of the Critical-rated items in the release. Google classifies CVE-2026-11645 as High severity, but the risk remains urgent because the company confirmed that an exploit exists in the wild.
What CVE-2026-11645 does
CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome and Chromium-based browsers. NVD says the flaw affects Google Chrome before version 149.0.7827.103.
The weakness can allow a remote attacker to execute arbitrary code inside the browser sandbox by using a crafted HTML page. In practical terms, a victim may only need to visit a malicious or compromised webpage while running a vulnerable browser.
Google paid a $55,000 bug bounty for the report, which came from a researcher identified as 303f06e3 on April 27, 2026. The company has restricted technical details while users continue to receive the fix.
| Item | Details |
|---|---|
| CVE | CVE-2026-11645 |
| Component | V8 JavaScript and WebAssembly engine |
| Bug type | Out-of-bounds memory access, read and write |
| Severity | High |
| Exploitation status | Exploit exists in the wild |
| Fixed desktop versions | 149.0.7827.102/.103 for Windows and Mac, 149.0.7827.102 for Linux |
CISA adds the Chrome flaw to its exploited vulnerabilities catalog
The vulnerability has also reached the CISA Known Exploited Vulnerabilities catalog. That means U.S. federal civilian agencies must apply vendor instructions or stop using affected products if no mitigation is available.
NVD lists the CISA due date as June 23, 2026, giving federal agencies two weeks from the June 9 catalog addition to remediate the issue. Private organizations should treat the same date as a useful patching benchmark, especially for managed endpoints.
The NVD vulnerability record gives the issue a CISA ADP CVSS 3.1 score of 8.8. The vector shows network attack access, low attack complexity, no privileges required, and user interaction required.
Chrome’s June update fixes more than the zero-day
The June release includes 74 fixes across Chrome. Google lists 17 Critical vulnerabilities, most of them use-after-free bugs in core browser components such as Ozone, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, Web Apps, and Proxy.
Use-after-free bugs happen when software keeps using memory after it has already been released. Attackers can sometimes use that memory confusion to corrupt browser state, crash the browser, or help build a larger exploit chain.
The Google release note also lists many High-severity issues in V8, WebRTC, PDF, ServiceWorker, Extensions, Network, GPU, Dawn, Media, Skia, and other browser subsystems.
| Severity or area | What Google fixed |
|---|---|
| Total fixes | 74 security fixes |
| Critical issues | 17 Critical vulnerabilities, mostly use-after-free flaws |
| Exploited zero-day | CVE-2026-11645 in V8, rated High |
| Other notable areas | WebRTC, PDF, ServiceWorker, Extensions, Network, GPU, Dawn, SVG, Media, and Passwords |
Chrome has now patched five exploited zero-days in 2026
CVE-2026-11645 is the fifth Chrome zero-day that Google has patched in 2026. The previous four were CVE-2026-2441 in February, CVE-2026-3910 and CVE-2026-3909 in March, and CVE-2026-5281 later in March.
Google confirmed active exploitation for each of those earlier issues in separate Stable Channel updates. The February Chrome update fixed CVE-2026-2441, while the March 12 Chrome update fixed CVE-2026-3910.
The March 13 Chrome update fixed CVE-2026-3909 after Google moved that fix out of the previous day’s release notes. The March 31 Chrome update fixed CVE-2026-5281 in Dawn.
| CVE | Component | Bug type | Fixed version |
|---|---|---|---|
| CVE-2026-2441 | CSS | Use after free | 145.0.7632.75/.76 for Windows and Mac, 145.0.7632.75 for Linux |
| CVE-2026-3910 | V8 | Inappropriate implementation | 146.0.7680.75/.76 for Windows and Mac, 146.0.7680.75 for Linux |
| CVE-2026-3909 | Skia | Out-of-bounds write | 146.0.7680.80 for Windows, Mac, and Linux |
| CVE-2026-5281 | Dawn | Use after free | 146.0.7680.177/.178 for Windows and Mac, 146.0.7680.177 for Linux |
| CVE-2026-11645 | V8 | Out-of-bounds memory access | 149.0.7827.102/.103 for Windows and Mac, 149.0.7827.102 for Linux |
Why V8 zero-days are dangerous
V8 processes JavaScript and WebAssembly from websites, web apps, ads, and embedded web content. That makes V8 a frequent target for browser exploit developers because it handles untrusted code every day.
An exploit that works inside Chrome’s renderer process does not always mean full device compromise by itself. Attackers may still need another vulnerability to escape the browser sandbox and reach the operating system.
Even so, an in-browser code execution path can still create serious risk. It can support data theft, session hijacking, browser compromise, or follow-on exploitation, especially when paired with another bug.
- Users should update Chrome immediately on Windows, macOS, and Linux.
- Enterprises should push the fixed version through endpoint management tools.
- Security teams should check for outdated Chrome installations across managed devices.
- Chromium-based browsers should also be monitored for updates that pull in the same upstream fix.
- High-risk users should restart Chrome after the update installs so the fix actually takes effect.
How to update Chrome now
Chrome usually updates automatically, but Google says the rollout can take days or weeks. Users should manually check for the update because the vulnerability has already been exploited.
To update Chrome, open the three-dot menu, go to Help, then About Google Chrome. Chrome will check for updates, download the latest available build, and ask the user to relaunch the browser.
Administrators should verify that managed endpoints reach a fixed build and should not rely only on version drift reports. The CISA KEV deadline gives security teams a clear date to use for internal patch compliance tracking.
- Open Chrome.
- Click the three-dot menu in the top-right corner.
- Select Help.
- Select About Google Chrome.
- Let Chrome download the update.
- Click Relaunch when prompted.
- Confirm the browser shows version 149.0.7827.102 or later on Linux, or 149.0.7827.102/.103 or later on Windows and Mac.
This update deserves immediate attention because it combines a confirmed in-the-wild exploit, a V8 memory-corruption flaw, and broad exposure across desktop endpoints. The safest action is simple: update Chrome, restart it, and verify the fixed version.
FAQ
CVE-2026-11645 is a High-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. Google says an exploit for the flaw exists in the wild.
Google fixed the issue in Chrome 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux. Users should install the update and relaunch Chrome.
Yes. Google confirmed that an exploit for CVE-2026-11645 exists in the wild, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog.
Open Chrome, click the three-dot menu, go to Help, then About Google Chrome. Chrome will check for updates automatically. Relaunch the browser after the update downloads.
Google rates CVE-2026-11645 as High severity, not Critical. The same Chrome update includes Critical vulnerabilities, but the actively exploited zero-day is listed as High severity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages