CISA warns Google Chromium V8 zero-day is being exploited in attacks

CISA has added a Google Chromium V8 zero-day vulnerability to its Known Exploited Vulnerabilities catalog after evidence showed that attackers are exploiting it in the wild.

The flaw is tracked as CVE-2026-11645 and affects Google Chrome before version 149.0.7827.103. According to the Chrome Stable Channel update, Google fixed the issue in a June 8, 2026 desktop security release.

The bug is serious because a remote attacker can trigger it through a crafted HTML page. That means a user may only need to visit a malicious or compromised website while using a vulnerable browser version.

Google patched CVE-2026-11645 after exploitation was confirmed

CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome and other Chromium-based projects. The NVD entry says the flaw can let a remote attacker execute arbitrary code inside a sandbox through a crafted HTML page.

Google rated the issue as high severity and said it was aware that an exploit exists in the wild. The company did not publish technical exploit details, which is standard practice while users and downstream projects are still applying fixes.

The June 8 update moved Chrome Stable to version 149.0.7827.102 or 149.0.7827.103 on Windows and Mac, and version 149.0.7827.102 on Linux. Users should open Chrome, go to Help > About Google Chrome, install any available update, and relaunch the browser.

CVE	CVE-2026-11645
Component	V8 JavaScript and WebAssembly engine
Vulnerability type	Out-of-bounds read and write
Severity	High
Attack vector	Crafted HTML page
Exploitation status	Exploited in the wild
Patched Chrome version	149.0.7827.103 or later
CISA deadline for federal agencies	June 23, 2026

CISA added the flaw to its KEV catalog

CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026. That move means CISA has evidence that the vulnerability has been used in real attacks.

The agency also published a separate CISA alert saying it added three exploited vulnerabilities to the catalog, including the Google Chromium V8 issue.

Under Binding Operational Directive 22-01, U.S. federal civilian agencies must apply vendor instructions or stop using the affected product if fixes are not available. CISA set the remediation deadline for June 23, 2026.

• Federal agencies must follow CISA’s remediation timeline.
• Enterprise admins should update Chrome across managed endpoints.
• Home users should manually check Chrome for updates if the browser has not restarted recently.
• Admins should also verify update status for other Chromium-based browsers through each vendor’s own release notes.

Why the V8 flaw is dangerous

V8 processes JavaScript and WebAssembly code inside the browser. Attackers often target browser engines because users interact with websites, ads, email links, and web apps throughout the day.

The National Vulnerability Database lists CVE-2026-11645 with a CVSS 3.1 score of 8.8 from CISA-ADP. The vector shows that exploitation works over the network, requires no privileges, and requires user interaction.

In practical terms, an attacker could lure a user to a malicious page and attempt to run code inside the browser sandbox. More advanced attackers may try to chain a browser exploit with another flaw to escape the sandbox and gain deeper access to the device.

Chrome users should update immediately

The safest fix is to update Chrome now. The Google Chrome release notes say the update includes 74 security fixes, with CVE-2026-11645 listed as a high-severity V8 memory access issue.

Chrome usually installs updates automatically, but the browser still needs to relaunch to finish the process. Users who keep browser windows open for days may remain exposed until they restart Chrome.

Organizations should not rely only on automatic updates. Managed environments should check endpoint inventory, confirm Chrome versions, and push the fixed build where needed.

Browser	Action users should take
Google Chrome	Update to 149.0.7827.103 or later where available, then relaunch
Microsoft Edge	Check Edge update status and install the latest vendor release
Opera	Check Opera update status and install the latest vendor release
Brave, Vivaldi, and other Chromium-based browsers	Check each browser’s official update page and apply the latest patch

What organizations should monitor

Browser zero-days can appear in phishing campaigns, watering-hole attacks, malicious ads, and targeted intrusion attempts. Security teams should treat browser update delays as a real exposure, especially on systems used by executives, developers, administrators, and finance teams.

The CISA KEV catalog entry tells organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services where relevant, or discontinue use if mitigations are unavailable.

The CISA warning also reinforces a broader lesson for security teams. Known exploited vulnerabilities need faster handling than ordinary patch backlogs because attackers have already shown interest in them.

• Confirm Chrome version data from endpoint management tools.
• Look for users running outdated browsers after the update window.
• Monitor suspicious browser crashes, unusual renderer behavior, and post-browser process activity.
• Limit access to risky websites where possible.
• Use EDR alerts and web filtering to reduce exposure while patching continues.

CVE-2026-11645 should remain a high-priority patching item until organizations confirm that affected systems have updated. Browser vulnerabilities move quickly, and active exploitation leaves little room for delayed rollout.

FAQ