Google fixes actively exploited Chrome zero-day in emergency security update


Google has released a Chrome security update to fix CVE-2026-11645, an actively exploited zero-day vulnerability in the browser’s V8 JavaScript engine. Users and administrators should update Chrome now instead of waiting for the staged automatic rollout.

The Chrome Stable Channel update moves the desktop browser to version 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux. Google says the update includes 74 security fixes.

The exploited flaw is not one of the Critical-rated items in the release. Google classifies CVE-2026-11645 as High severity, but the risk remains urgent because the company confirmed that an exploit exists in the wild.

What CVE-2026-11645 does

CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome and Chromium-based browsers. NVD says the flaw affects Google Chrome before version 149.0.7827.103.

The weakness can allow a remote attacker to execute arbitrary code inside the browser sandbox by using a crafted HTML page. In practical terms, a victim may only need to visit a malicious or compromised webpage while running a vulnerable browser.

Google paid a $55,000 bug bounty for the report, which came from a researcher identified as 303f06e3 on April 27, 2026. The company has restricted technical details while users continue to receive the fix.

ItemDetails
CVECVE-2026-11645
ComponentV8 JavaScript and WebAssembly engine
Bug typeOut-of-bounds memory access, read and write
SeverityHigh
Exploitation statusExploit exists in the wild
Fixed desktop versions149.0.7827.102/.103 for Windows and Mac, 149.0.7827.102 for Linux

CISA adds the Chrome flaw to its exploited vulnerabilities catalog

The vulnerability has also reached the CISA Known Exploited Vulnerabilities catalog. That means U.S. federal civilian agencies must apply vendor instructions or stop using affected products if no mitigation is available.

NVD lists the CISA due date as June 23, 2026, giving federal agencies two weeks from the June 9 catalog addition to remediate the issue. Private organizations should treat the same date as a useful patching benchmark, especially for managed endpoints.

The NVD vulnerability record gives the issue a CISA ADP CVSS 3.1 score of 8.8. The vector shows network attack access, low attack complexity, no privileges required, and user interaction required.

Chrome’s June update fixes more than the zero-day

The June release includes 74 fixes across Chrome. Google lists 17 Critical vulnerabilities, most of them use-after-free bugs in core browser components such as Ozone, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, Web Apps, and Proxy.

Use-after-free bugs happen when software keeps using memory after it has already been released. Attackers can sometimes use that memory confusion to corrupt browser state, crash the browser, or help build a larger exploit chain.

The Google release note also lists many High-severity issues in V8, WebRTC, PDF, ServiceWorker, Extensions, Network, GPU, Dawn, Media, Skia, and other browser subsystems.

Severity or areaWhat Google fixed
Total fixes74 security fixes
Critical issues17 Critical vulnerabilities, mostly use-after-free flaws
Exploited zero-dayCVE-2026-11645 in V8, rated High
Other notable areasWebRTC, PDF, ServiceWorker, Extensions, Network, GPU, Dawn, SVG, Media, and Passwords

Chrome has now patched five exploited zero-days in 2026

CVE-2026-11645 is the fifth Chrome zero-day that Google has patched in 2026. The previous four were CVE-2026-2441 in February, CVE-2026-3910 and CVE-2026-3909 in March, and CVE-2026-5281 later in March.

Google confirmed active exploitation for each of those earlier issues in separate Stable Channel updates. The February Chrome update fixed CVE-2026-2441, while the March 12 Chrome update fixed CVE-2026-3910.

The March 13 Chrome update fixed CVE-2026-3909 after Google moved that fix out of the previous day’s release notes. The March 31 Chrome update fixed CVE-2026-5281 in Dawn.

CVEComponentBug typeFixed version
CVE-2026-2441CSSUse after free145.0.7632.75/.76 for Windows and Mac, 145.0.7632.75 for Linux
CVE-2026-3910V8Inappropriate implementation146.0.7680.75/.76 for Windows and Mac, 146.0.7680.75 for Linux
CVE-2026-3909SkiaOut-of-bounds write146.0.7680.80 for Windows, Mac, and Linux
CVE-2026-5281DawnUse after free146.0.7680.177/.178 for Windows and Mac, 146.0.7680.177 for Linux
CVE-2026-11645V8Out-of-bounds memory access149.0.7827.102/.103 for Windows and Mac, 149.0.7827.102 for Linux

Why V8 zero-days are dangerous

V8 processes JavaScript and WebAssembly from websites, web apps, ads, and embedded web content. That makes V8 a frequent target for browser exploit developers because it handles untrusted code every day.

An exploit that works inside Chrome’s renderer process does not always mean full device compromise by itself. Attackers may still need another vulnerability to escape the browser sandbox and reach the operating system.

Even so, an in-browser code execution path can still create serious risk. It can support data theft, session hijacking, browser compromise, or follow-on exploitation, especially when paired with another bug.

  • Users should update Chrome immediately on Windows, macOS, and Linux.
  • Enterprises should push the fixed version through endpoint management tools.
  • Security teams should check for outdated Chrome installations across managed devices.
  • Chromium-based browsers should also be monitored for updates that pull in the same upstream fix.
  • High-risk users should restart Chrome after the update installs so the fix actually takes effect.

How to update Chrome now

Chrome usually updates automatically, but Google says the rollout can take days or weeks. Users should manually check for the update because the vulnerability has already been exploited.

To update Chrome, open the three-dot menu, go to Help, then About Google Chrome. Chrome will check for updates, download the latest available build, and ask the user to relaunch the browser.

Administrators should verify that managed endpoints reach a fixed build and should not rely only on version drift reports. The CISA KEV deadline gives security teams a clear date to use for internal patch compliance tracking.

  1. Open Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Select Help.
  4. Select About Google Chrome.
  5. Let Chrome download the update.
  6. Click Relaunch when prompted.
  7. Confirm the browser shows version 149.0.7827.102 or later on Linux, or 149.0.7827.102/.103 or later on Windows and Mac.

This update deserves immediate attention because it combines a confirmed in-the-wild exploit, a V8 memory-corruption flaw, and broad exposure across desktop endpoints. The safest action is simple: update Chrome, restart it, and verify the fixed version.

FAQ

What is CVE-2026-11645?

CVE-2026-11645 is a High-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. Google says an exploit for the flaw exists in the wild.

Which Chrome versions fix CVE-2026-11645?

Google fixed the issue in Chrome 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux. Users should install the update and relaunch Chrome.

Is the Chrome zero-day being exploited?

Yes. Google confirmed that an exploit for CVE-2026-11645 exists in the wild, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog.

How do I update Chrome manually?

Open Chrome, click the three-dot menu, go to Help, then About Google Chrome. Chrome will check for updates automatically. Relaunch the browser after the update downloads.

Is CVE-2026-11645 a Critical Chrome vulnerability?

Google rates CVE-2026-11645 as High severity, not Critical. The same Chrome update includes Critical vulnerabilities, but the actively exploited zero-day is listed as High severity.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages