Google has shipped an emergency fix for CVE-2026-11645, a vulnerability in Chrome’s V8 JavaScript and WebAssembly engine that attackers are already exploiting in the wild. It is the fifth actively exploited Chrome zero-day of 2026 — and, as with the others, all it takes to trigger is a victim visiting a malicious web page.

The flaw is rated high severity (CVSS 8.8) and is described as an out-of-bounds memory access in V8. In practice that means a crafted HTML page can corrupt the heap, read and write memory outside its intended bounds, and chain toward arbitrary code execution inside the browser. Google confirmed that “an exploit for CVE-2026-11645 exists in the wild,” its standard phrasing for a vulnerability under active attack.

The technical shape of the bug

Out-of-bounds access in V8 is among the most valuable bug classes for exploit developers. Beyond the immediate ability to corrupt heap data, the flaw can be used to bypass protections such as ASLR (Address Space Layout Randomization), making it a reliable building block for a full exploit chain when paired with a second weakness — typically a sandbox escape. Browser-based zero-days like this are the front door for everything from commercial spyware to drive-by malware delivery.

The vulnerability was reported on April 27, 2026 by a researcher credited as “303f06e3,” who received a $55,000 bug bounty — a payout that signals both the quality of the report and the severity Google assigned to it. Following its usual practice for actively exploited bugs, Google is withholding technical details until a majority of users have updated, to avoid arming additional attackers before patches propagate.

You are almost certainly affected

V8 powers not just Chrome but the entire Chromium ecosystem — Microsoft Edge, Brave, Opera, Vivaldi, and countless Electron-based desktop applications. A V8 zero-day is therefore never just a Chrome problem; every downstream browser and app that embeds Chromium needs the corresponding update.

The fix is shipping in:

  • Chrome 149.0.7827.102 / .103 for Windows and macOS
  • Chrome 149.0.7827.102 for Linux

Updates roll out gradually, so do not wait for the automatic prompt. Open chrome://settings/help, let the browser pull the latest build, and relaunch — the update does not take effect until Chrome restarts, the step users most often skip.

A worsening zero-day cadence

CVE-2026-11645 follows CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281 — five in-the-wild Chrome zero-days before the year is even half over. The drumbeat is a reminder that the browser is now the primary attack surface for most users, and that edge-device and browser zero-days are being weaponized faster than ever. We have tracked the same urgency on the network-perimeter side, including the actively exploited Check Point VPN zero-day CVE-2026-50751 that triggered a CISA emergency directive this month.

What to do now

  • Update and relaunch Chrome immediately. Confirm you are on 149.0.7827.102 or later via chrome://settings/help.
  • Patch every Chromium browser in your environment — Edge, Brave, Opera, Vivaldi — not just Chrome.
  • Inventory Electron apps. Desktop applications bundling Chromium need vendor updates; they do not patch via Chrome’s updater.
  • For enterprises, force the update. Use Chrome Browser Cloud Management or your endpoint tooling to push the build rather than relying on users to relaunch.

A single crafted page is the whole attack. With an exploit already circulating, the gap between “patch available” and “patch applied” is exactly the window attackers are counting on.

Sources