If you have Chrome open right now and have not restarted it since last month, your browser is running a version with a known, actively exploited security flaw. That is not a theoretical risk. CISA confirmed real-world exploitation on June 9, 2026, the same day Google's fix reached users.

CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, Chrome's JavaScript and WebAssembly engine, that can allow a remote attacker to execute arbitrary code within the browser's sandbox via a crafted HTML page. You do not need to click a file or enter any credentials. Visiting the wrong webpage is enough.

What the Vulnerability Actually Does

V8 is the engine that runs JavaScript inside Chrome. It processes code from every website you visit, which makes it one of the most exposed components in any browser. V8 uses just-in-time (JIT) compilation: it monitors JavaScript execution patterns at runtime and compiles hot code paths to native machine instructions for speed. This process allocates typed arrays, objects, and compiled code regions in heap memory with defined size bounds.

The vulnerability occurs when a JIT-compiled code path performs a read or write using an index or offset that V8 does not correctly validate, enabling access to memory outside the intended buffer boundary. In practical terms, an attacker loads a crafted HTML page that feeds the JIT compiler a specific execution pattern. The result is heap corruption.

Successful exploitation enables attackers to access data beyond the memory buffer via heap corruption, exposing sensitive information or triggering a crash. Besides unauthorized access to out-of-bounds memory, the now-patched zero-day bug could also be exploited to bypass protection mechanisms such as ASLR, making it easier to achieve code execution via another weakness.

That last point matters. ASLR is a core memory defense that randomizes where programs load in memory, making exploits harder to aim. A flaw that bypasses it does not just win one attack layer. It opens a path for a second-stage exploit to follow.

The Discovery and Google's Response

A security researcher named "303f06e3" has been credited with discovering and reporting the flaw on April 27, 2026. The researcher has been awarded a bug bounty of $55,000 for responsible disclosure.

Google released Chrome 149.0.7827.102/.103 for Windows and macOS, as well as Chrome 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including a high-severity zero-day flaw in the V8 JavaScript engine that the company says has been exploited in the wild.

As is customary in these cases, Google acknowledged that an "exploit for CVE-2026-11645 exists in the wild," but stopped short of sharing additional specifics to ensure that a majority of the users are updated with a fix and to prevent further exploitation.

Key facts about this update:

  • CVE-2026-11645 carries a CVSS score of 8.8, rated High severity.
  • The patch is included in Chrome 149.0.7827.102/.103 on Windows and macOS.
  • Linux users need Chrome 149.0.7827.102.
  • The update includes 17 critical vulnerabilities beyond the zero-day.
  • CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026.
  • The bug was reported six weeks before Google's public disclosure.
ChatGPT Image Jul 6, 2026, 12_00_41 PM.png
Infographic highlighting Google's emergency Chrome update, the V8 zero-day flaw, affected browsers, and urgent security steps.

The 2026 Chrome Zero-Day Pattern That Should Concern You

CVE-2026-11645 is the fifth Chrome zero-day vulnerability Google has fixed in 2026. That number is significant. Five exploited zero-days in six months across one browser is not a routine maintenance cycle. It reflects sustained, targeted attention from threat actors who treat Chrome's attack surface as productive ground.

Two other Chrome zero-day bugs exploited in attacks in March: an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910). And a use-after-free weakness in Dawn (CVE-2026-5281), the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, which Google patched in April.

The first zero-day of 2026, CVE-2026-2441, is a memory bug in how the browser handles certain font features that attackers were already exploiting. That landed in February. Since then, a new exploited Chrome zero-day has surfaced roughly every five to six weeks.

Who Is Exposed Beyond Chrome

The impact of this Google Chromium zero-day does not stop at Chrome. Chromium is the engine powering Microsoft Edge, Opera, Brave, Vivaldi, Samsung Internet, and a wide range of embedded runtimes inside Electron-based desktop applications. Every one of these browsers and runtimes carries the same underlying V8 vulnerability until individually patched.

That scope matters for enterprise environments especially. Security teams that confirm Chrome has updated may still have dozens of Electron-based apps running unpatched Chromium builds on the same endpoints.

How to Update and Verify

Steps to confirm you are protected:

  • Open Chrome and go to Settings, then Help, then About Google Chrome.
  • The browser will check for updates automatically on that screen.
  • Confirm the version reads 149.0.7827.103 on Windows or macOS, or 149.0.7827.102 on Linux.
  • Click Relaunch immediately after the update downloads.
  • An updated but unrelaunched Chrome is still running the vulnerable version.
  • For enterprise fleets, use Google Admin Console to enforce minimum version 149.0.7827.103.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.