Google has released an emergency security update for Chrome, fixing the fifth actively exploited zero-day vulnerability discovered in the browser during 2026.
The newly patched flaw, tracked as CVE-2026-11645, affects Chrome's V8 JavaScript and WebAssembly engine and has reportedly been exploited in real-world attacks before a security fix became available.
What is CVE-2026-11645?
According to Google's security advisory, CVE-2026-11645 is a high-severity out-of-bounds read and write vulnerability in Chrome's V8 engine. Successful exploitation could allow attackers to execute arbitrary code within the browser's sandbox by luring victims to a specially crafted malicious webpage.
Security researchers believe attackers could potentially chain this vulnerability with other flaws, such as sandbox escape vulnerabilities, to gain deeper access to a victim's system.
Fifth Chrome Zero-Day Patched in 2026
This marks the fifth Chrome zero-day vulnerability patched by Google in 2026, highlighting the growing focus of threat actors on browser-based attacks.
The previously patched Chrome zero-days this year include:
- CVE-2026-2441 (CSSFontFeatureValuesMap)
- CVE-2026-3909 (Skia Graphics Library)
- CVE-2026-3910 (V8 Engine)
- CVE-2026-5281 (Dawn WebGPU Component)
- CVE-2026-11645 (V8 Engine)
The continued targeting of Chrome's V8 engine demonstrates how browser exploitation remains a valuable attack vector for cybercriminals and advanced threat groups.
Patch Details
Google has released patched versions for all major desktop platforms:
- Windows & Linux: Chrome 149.0.7827.102
- macOS: Chrome 149.0.7827.103
The updates are being rolled out gradually through the Stable Desktop channel. While automatic updates are enabled by default, users can manually update Chrome by navigating to:
Settings → Help → About Google Chrome
The browser will automatically check for and install available updates before prompting a restart.
Limited Technical Details Released
As is common with actively exploited vulnerabilities, Google has restricted detailed technical information regarding the flaw until the majority of users have updated their browsers.
The vulnerability was reportedly disclosed to Google by an anonymous security researcher in late April 2026. Google acknowledged that an exploit for the vulnerability exists in the wild but has not disclosed details regarding the attacks or threat actors involved.
Why This Matters
Modern web browsers have become one of the most attractive targets for attackers because they serve as the primary gateway to online services, corporate applications, and sensitive user data.
A single successful browser exploit can potentially lead to:
- Credential theft
- Malware deployment
- Session hijacking
- Corporate network compromise
- Further privilege escalation attacks
The discovery of five actively exploited Chrome zero-days within the first half of 2026 underscores the importance of maintaining up-to-date software and implementing strong browser security practices.
Recommendations for Users
- Security experts recommend:
- Update Chrome immediately
- Enable automatic browser updates
- Avoid visiting untrusted websites
- Use browser isolation where possible
- Keep operating systems and security software updated
Organizations should prioritize patch deployment across managed endpoints to minimize exposure to browser-based attacks.
Final Thoughts
Google's rapid response to CVE-2026-11645 demonstrates the ongoing arms race between browser vendors and cybercriminals. As attackers continue targeting browser engines like V8, timely patching remains one of the most effective defenses against zero-day exploitation.
Users are strongly encouraged to update Chrome as soon as possible to ensure protection against known attacks exploiting this vulnerability.
