CVE-2026-11645 Chrome Vulnerability

Google has released emergency security updates to address another actively exploited zero-day vulnerability in the Chrome browser. The flaw, tracked as CVE-2026-11645, marks the fifth Chrome zero-day patched by the company since the beginning of 2026.

According to Google, evidence confirms that an exploit targeting this vulnerability is already being used in real-world attacks. The issue was reported anonymously to the company, and a fix was subsequently deployed through the Stable Desktop channel.

Patched versions are currently being rolled out globally for Windows (149.0.7827.102), macOS (149.0.7827.103), and Linux (149.0.7827.102). However, the update process may take several days or even weeks before reaching all Chrome users.

For those who do not manually install updates, Chrome is designed to automatically check for and apply available security fixes during the next browser launch.

Inside CVE-2026-11645: A Dangerous V8 Engine Flaw

The high-severity vulnerability originates from an out-of-bounds read and write weakness within Chrome's V8 JavaScript engine. Attackers can exploit the flaw through specially crafted HTML pages, potentially enabling arbitrary code execution inside the browser's sandbox environment.

Successful exploitation can result in heap corruption, allowing attackers to access memory outside intended boundaries. This behavior may expose sensitive information, cause browser crashes, or facilitate additional malicious activity.

Beyond unauthorized memory access, the vulnerability could also be leveraged to bypass security protections such as Address Space Layout Randomization (ASLR), increasing the likelihood of achieving code execution when combined with other weaknesses.

Limited Disclosure to Protect Users

Although Google has acknowledged active exploitation of the vulnerability, the company has not yet disclosed technical details regarding the attacks. Access to bug information and related resources may remain restricted until a significant portion of Chrome users have installed the security update.

Restrictions may also continue if the affected code exists within third-party libraries that are used by other projects and have not yet implemented their own fixes.

A Growing List of Zero-Day Threats in 2026

CVE-2026-11645 joins several other Chrome zero-days that have been actively exploited this year:

• CVE-2026-2441 – An iterator invalidation vulnerability in CSSFontFeatureValuesMap, patched in February.
• CVE-2026-3909 – An out-of-bounds write flaw in the Skia 2D graphics library, exploited in March.
• CVE-2026-3910 – An inappropriate implementation vulnerability affecting the V8 JavaScript and WebAssembly engine, also exploited in March.
• CVE-2026-5281 – A use-after-free vulnerability in Dawn, Chromium's cross-platform WebGPU implementation, patched in April.

Chrome’s Ongoing Battle Against Zero-Day Exploits

The latest emergency update highlights the persistent threat posed by zero-day vulnerabilities targeting modern web browsers. Throughout 2025, Google addressed eight additional Chrome zero-days that were exploited in the wild. Several of those vulnerabilities were identified by Google's Threat Analysis Group (TAG), a specialized team known for tracking sophisticated cyber-espionage operations and spyware campaigns.

The continued discovery of actively exploited flaws underscores the importance of timely browser updates and rapid vulnerability remediation in protecting users against evolving cyber threats.