Chrome V8 Zero-Day CVE-2026-11645: 5th Actively Exploited Chrome Bug of 2026 Hits 3.5B Users

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2026-11645, an out-of-bounds read and write in Chrome's V8 JavaScript engine scoring CVSS 8.8, is under active exploitation in the wild right now, placing over 3.5 billion Chrome users at risk of arbitrary code execution via a crafted web page that requires no download, no login, and no user action beyond visiting a malicious URL. CISA added CVE-2026-11645 to the Known Exploited Vulnerabilities catalog on June 9, 2026, confirming that threat actors are using this flaw against real targets while the majority of endpoints remain unpatched.
The vulnerability lives in V8, Chrome's open-source JavaScript and WebAssembly engine. V8 compiles JavaScript just-in-time, meaning attacker-controlled scripts execute at machine code speed. The out-of-bounds read/write primitive occurs when V8 processes JavaScript operations that push memory access beyond the bounds of an allocated buffer, allowing an attacker to read or write to adjacent heap memory regions. Combined with heap spray and ASLR bypass techniques, this primitive escalates to arbitrary code execution inside Chrome's renderer sandbox. Sandbox escape to the underlying OS requires a second exploit stage, but Google's confirmation of active exploitation suggests threat actors have a working chain.
This is the fifth Chrome zero-day exploited in the wild in 2026 alone — following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Five actively exploited zero-days in six months signals sustained adversary investment in browser engine memory corruption. Patch Chrome to 149.0.7827.103 today. Every hour of delay is an hour of active exploitation window on your unpatched endpoints.
How Does the Chrome V8 Out-of-Bounds Vulnerability Work?
CVE-2026-11645 is an out-of-bounds read and write flaw in V8, the JavaScript and WebAssembly engine embedded in Chrome and every Chromium-based browser. V8 uses just-in-time compilation: it monitors JavaScript execution patterns at runtime and compiles hot code paths to native machine instructions for speed. This process allocates typed arrays, objects, and compiled code regions in heap memory with defined size bounds. The vulnerability occurs when a JIT-compiled code path performs a read or write using an index or offset that V8 does not correctly validate, enabling access to memory outside the intended buffer boundary.
In a real attack, a visitor loads a crafted HTML page containing attacker-supplied JavaScript. The script triggers V8's JIT compiler to process a specific execution pattern that exposes the out-of-bounds access flaw. The resulting memory operation writes attacker-controlled data to a heap region adjacent to the target buffer — heap corruption. At this point, the attacker can overwrite V8 internal data structures: typed array length fields, function pointers, or object metadata. Corrupting these structures converts the initial out-of-bounds write into a general read/write primitive anywhere in the V8 heap.
From that primitive, standard browser exploit techniques apply: an information leak bypasses ASLR by revealing heap layout; pointer corruption redirects a function call to attacker-controlled shellcode; execution occurs inside Chrome's renderer process. Google withheld the specific technical details of CVE-2026-11645 while the fix propagated — standard responsible disclosure practice. However, active exploitation is confirmed, meaning at least one threat actor has a working, weaponized exploit chain. Organizations should plan defenses assuming the attacker achieves renderer-level code execution at minimum.
Which Chrome Versions and Browsers Are Affected by CVE-2026-11645?
CVE-2026-11645 affects all Google Chrome versions prior to 149.0.7827.103 on Windows and macOS, and prior to 149.0.7827.102 on Linux. Because V8 is the shared JavaScript engine for every Chromium-based browser, any browser built on the Chromium open-source project is affected until its vendor applies the corresponding V8 patch. Affected browsers include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Samsung Internet, and any other Chromium derivative.
Chrome holds approximately 65% global browser market share. With 5.5 billion internet users worldwide, that represents over 3.5 billion potential targets reachable through a single crafted web page. Enterprise networks typically run mixed browser environments: managed Chrome on corporate endpoints, Chromium derivatives on developer workstations, and browser-rendered content in kiosks or lab systems. Any of these is a valid exploitation target.
Microsoft had not yet issued a public Edge patched version statement as of June 30, 2026. Organizations relying on Edge should monitor the Microsoft Security Response Center; Edge typically patches its V8 component within 1 to 3 days of Google's Chrome release. Brave, Opera, and Vivaldi follow similar timelines. For enterprise management: Google Admin Console users can force-push Chrome 149.0.7827.103 via Devices > Chrome > Apps & extensions. Intune or Group Policy deployments should update the Chrome ADMX-targeted installer version immediately.
The vulnerability was discovered by researcher "303f06e3" and reported on April 27, 2026, earning a $55,000 bug bounty. Google patched and released 149.0.7827.103 shortly thereafter. The gap between discovery and confirmed exploitation indicates threat actors found or acquired the vulnerability independently, gaining approximately a five-week zero-day window before the fix was available.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Five Chrome Zero-Days in 2026: A Pattern Security Teams Must Address
CVE-2026-11645 is the fifth Chrome vulnerability confirmed exploited in the wild in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. A rate of roughly one exploited browser zero-day per month is consistent with nation-state and commercial surveillance operator targeting of browser infrastructure as a reliable initial access vector.
Browser zero-days occupy a specific and high-value position in the exploitation toolkit: they require no valid credentials, no VPN access, no file download, and no user error beyond loading a page. The attacker controls delivery — through malvertising on legitimate ad networks, iframe injection on compromised websites, targeted phishing links, or direct access via social engineering. A single malicious page deployed at scale can reach millions of unpatched users in hours.
The previous Chrome zero-day in this sequence, CVE-2026-5281, was exploited within days of patch release — a pattern called patch diffing, where researchers reverse-engineer the fix to reconstruct the vulnerability. Organizations that delayed patching CVE-2026-5281 faced active exploitation before remediation. CVE-2026-11645 follows the same risk arc. The patch is available today; exploitation is confirmed; the attacker's advantage shrinks as patching spreads.
This pattern is also relevant for the broader June 2026 patch cycle, which addressed six zero-days across multiple Microsoft products. Browser zero-days and OS zero-days are converging into a sustained exploitation campaign environment where patch velocity is the primary defensive variable. Five browser zero-days in one year demands automated, verified browser update enforcement — not a policy that permits 30-day patch windows.
“An exploit for CVE-2026-11645 exists in the wild. Google Chrome prior to 149.0.7827.103 contains an out-of-bounds memory access flaw in V8.”
CISA Known Exploited Vulnerabilities Catalog, June 2026
CVE-2026-11645 Indicators of Compromise: What to Monitor
Google has not published specific network indicators — IP addresses, domains, or file hashes — for the CVE-2026-11645 exploitation campaign. This is standard practice when restricting details pending broad patch propagation. Detection for this CVE relies on behavioral and endpoint signals rather than IOC matching.
Chrome renderer process crashes immediately before or during a site visit are the earliest available signal. Browser crashes during normal usage are rare on modern hardware; a crash correlated with a visit to an unfamiliar URL warrants investigation. Chrome's local crash log (chrome://crashes/) and endpoint crash telemetry in EDR platforms should be reviewed for spikes following external web activity. Behavioral IOCs to monitor:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch CVE-2026-11645 Before End of Day
Patching Chrome is the highest-impact, lowest-effort remediation action available for CVE-2026-11645. The fix is already deployed in Chrome 149.0.7827.103 — no emergency hotfix download, no vendor account required, and no downtime for most environments. Apply before end of business today.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Chrome V8 Zero-Day CVE-2026-11645 Matters for Your Organization
Browser zero-day exploitation is the most scalable initial access vector that does not require user error. A phishing attack needs someone to click and open an attachment. A browser zero-day needs someone to visit a page. The attacker controls when and how that visit happens — through malvertising, iframe injection on compromised legitimate sites, targeted phishing links, or direct access through social engineering. The victim organization's users navigate the web as part of their normal workday. That is the attack surface.
CVE-2026-11645's confirmed in-the-wild exploitation means at least one threat actor has a fully weaponized drive-by exploit chain targeting Chrome users today. The five Chrome zero-days in 2026 establish a sustained pattern: sophisticated adversaries, whether nation-state or commercial surveillance operators, do not deploy browser exploits once. They build chains and use them systematically across multiple targets until detection or patching eliminates the vector.
Browser version enforcement is among the most commonly undermanaged enterprise security controls. Auto-update policies exist but are frequently disabled on locked-down endpoints, suppressed by proxy configurations, or delayed by 30-day maintenance windows. The result is an inventory of unpatched browsers that provides drive-by exploit access to attackers who know this. Malicious Chrome extensions compounded this risk earlier in 2026 — CVE-2026-11645 operates at a lower level, in the engine itself, and cannot be blocked by extension policy.
Chrome V8 zero-day CVE-2026-11645 is patched, available, and deployable in under two minutes per endpoint. The only remaining exposure window is the gap between "patch available" and "all endpoints patched." Close it today.
The bottom line
Chrome V8 zero-day CVE-2026-11645 exposes over 3.5 billion Chrome users to arbitrary code execution via a single crafted web page, with CISA's KEV addition confirming active exploitation against real targets today. Three key takeaways: patch Chrome to 149.0.7827.103 immediately by navigating to More > Help > About Google Chrome and clicking Relaunch; verify patch propagation across all managed endpoints using your endpoint inventory before end of business — any device still on an older version is actively exposed; and enable EDR process genealogy monitoring for unexpected child processes from Chrome renderer workers as a behavioral detection layer while Google withholds specific network IOCs. Five actively exploited Chrome zero-days in 2026 means automated browser patch enforcement is now a mandatory security control, not a best practice.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-11645 in Chrome?
CVE-2026-11645 is a CVSS 8.8 out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine. A remote attacker can exploit it by serving a crafted HTML page containing specially structured JavaScript that triggers an out-of-bounds memory access in V8's JIT compiler. This enables heap corruption leading to arbitrary code execution inside Chrome's renderer sandbox. Google confirmed active exploitation in the wild and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog in June 2026.
Which Chrome versions are affected by CVE-2026-11645?
All Google Chrome versions prior to 149.0.7827.103 on Windows and macOS, and prior to 149.0.7827.102 on Linux, are affected. The vulnerability also affects every Chromium-based browser — including Microsoft Edge, Brave, Opera, and Vivaldi — until those vendors release their own patched builds incorporating the V8 fix. Update Chrome by navigating to More > Help > About Google Chrome and relaunching after the update downloads.
How does the V8 out-of-bounds vulnerability allow code execution?
V8 compiles JavaScript just-in-time into native machine code. CVE-2026-11645 occurs when V8's JIT compiler processes a specific JavaScript pattern that causes a memory read or write operation to exceed the bounds of its allocated buffer. The resulting heap corruption lets an attacker overwrite V8 internal data structures — typed array lengths or function pointers — converting the initial out-of-bounds access into a general heap read/write primitive. Combined with ASLR bypass via information leak, this enables arbitrary code execution inside the Chrome renderer process.
Is Microsoft Edge affected by the Chrome V8 zero-day CVE-2026-11645?
Yes. Microsoft Edge is built on the Chromium open-source project and shares the same V8 JavaScript engine as Google Chrome. Edge versions using V8 builds prior to the CVE-2026-11645 fix are vulnerable to the same out-of-bounds exploit. Microsoft typically releases a patched Edge version within one to three days of Google's Chrome patch. Monitor the Microsoft Security Response Center for an Edge advisory and update Edge to the corresponding patched version as soon as it is available.
How do I update Chrome to fix CVE-2026-11645?
Open Chrome and navigate to More (the three-dot menu) > Help > About Google Chrome. Chrome will automatically check for and download the latest update. The target version is 149.0.7827.103 on Windows and macOS, or 149.0.7827.102 on Linux. Once downloaded, click Relaunch to apply the update. On enterprise networks managed via Google Admin Console or Intune, push version 149.0.7827.103 to all enrolled endpoints and verify compliance before end of day.
What is the V8 JavaScript engine and why is it a frequent exploit target?
V8 is Google's open-source JavaScript and WebAssembly engine, originally developed for Chrome and now used in Node.js, Electron applications, and every Chromium-based browser. V8 is a high-value exploit target because it processes untrusted JavaScript from any web page at native machine code speed, executes inside every browser session without user opt-in, and is extraordinarily complex — containing a JIT compiler, garbage collector, and type inference system each of which has historically contained memory safety flaws. CVE-2026-11645 is the fifth V8-related or Chrome engine flaw exploited in 2026.
Can CVE-2026-11645 steal my passwords or data directly?
CVE-2026-11645 achieves code execution inside Chrome's renderer sandbox — the isolated process that handles web content. The renderer sandbox limits direct access to the OS filesystem and credential stores. However, renderer-level code execution can access in-page data including form fields, session tokens, and cookies loaded in the active tab. A two-stage exploit that also includes a sandbox escape — which Google has not confirmed or denied in this case — would enable OS-level access including credential stores and keychain data. Assume worst-case until Google discloses the full exploit chain used in the wild.
How many Chrome zero-days have been exploited in 2026?
CVE-2026-11645 is the fifth Chrome zero-day confirmed exploited in the wild in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. At a rate of roughly one exploited browser zero-day per month, 2026 represents a significant escalation compared to prior years. Security teams should treat Chrome browser version enforcement as a mandatory, continuously verified control — not a best practice — given the sustained exploitation cadence.
Sources & references
- The Hacker News: Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- Help Net Security: Google Patches Chrome Zero-Day CVE-2026-11645
- BleepingComputer: Google Patches Fifth Chrome Zero-Day Bug Exploited in Attacks
- Broadcom Security Center: CVE-2026-11645 Chrome V8 Zero-Day
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
