Chrome Zero-Day CVE-2026-11645 Actively Exploited

Google has issued an emergency security update for its Chrome web browser to address CVE-2026-11645, a high-severity zero-day vulnerability actively exploited in the wild. This flaw, characterized as an out-of-bounds read and write weakness within the V8 JavaScript engine, marks the fifth such zero-day patched by Google since the beginning of the year. While a specific CVSS score has not been publicly detailed, Google's classification of the vulnerability as high-severity shows its potential impact.

Successful exploitation of CVE-2026-11645 could allow remote attackers to execute arbitrary code within the browser's sandboxed environment. Attackers achieve this by crafting malicious HTML pages, which, when rendered by an unpatched Chrome instance, can trigger the vulnerability. Google's rapid patching shows this vulnerability is critical, making it urgent for users to update their browser installations.

Google's response follows the vulnerability's anonymous disclosure to the company approximately two weeks prior to the public patch release. The patches, designated for Chrome versions 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac, are being rolled out globally. Organizations and individual users are advised to implement these updates without delay to reduce the risk from this actively exploited flaw.

What is CVE-2026-11645 and why is it critical?

CVE-2026-11645 is a high-severity zero-day vulnerability in Google Chrome that results from an out-of-bounds read and write weakness within the V8 JavaScript engine. The V8 engine compiles and executes JavaScript code within the browser. Attackers often target it due to its privileged position in processing web content. An out-of-bounds read or write occurs when a program attempts to access memory outside the boundaries of an allocated buffer. This can lead to various unpredictable behaviors, from application crashes to the disclosure of sensitive information, and the ability to execute arbitrary code.

Google confirms this vulnerability is critical due to active exploitation. The designation "zero-day" indicates the flaw was being actively exploited by malicious actors before a patch was publicly available. These vulnerabilities pose an immediate, severe risk because attackers have an exploit defenders may not detect or prevent. Remote code execution within the browser's sandbox means an attacker can potentially gain control of the compromised browser, which could lead to further system compromise.

Impact

The exploitation of CVE-2026-11645 can have significant consequences for affected users and organizations. An attacker can achieve remote code execution (RCE) inside the web browser's sandbox. They can inject and run their own code within the browser's isolated environment. While browsers are designed with sandboxes to limit the impact of such compromises, an RCE in the sandbox often provides an initial foothold for further attacks, possibly leading to sandbox escapes and full system compromise.

The out-of-bounds read and write weakness can expose sensitive information or trigger application crashes. Accessing data beyond the memory buffer through heap corruption can allow attackers to read memory that should not be accessible. This could disclose user data, internal program states, or other confidential information. The vulnerability can also bypass protection mechanisms like Address Space Layout Randomization (ASLR). ASLR is a security feature that prevents reliable exploitation of memory corruption vulnerabilities. Bypassing ASLR simplifies exploiting other weaknesses, making it easier for attackers to achieve arbitrary code execution outside the browser's sandbox.

All users running unpatched versions of Google Chrome on Windows, macOS, and Linux are at risk. This includes individuals, enterprises, and government entities that rely on Chrome for web browsing. Because Google Chrome is widely adopted, the vulnerability has extensive real-world reach. Organizations using Chrome in their environments face increased risk of initial access by threat actors. This could lead to data exfiltration, malware deployment, or persistent access within their networks. The attack vector, using crafted HTML pages, means merely visiting a malicious website can initiate an attack without direct user interaction beyond browsing.

Exploitation Chain

The exploitation of CVE-2026-11645 starts with a remote attack vector: crafted HTML pages. Attackers prepare a malicious webpage with HTML and JavaScript code designed to trigger the out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine. When a user navigates to this malicious page with an unpatched version of Google Chrome, the browser attempts to parse and execute the embedded code.

Exploitation requires the victim to use an affected version of Google Chrome and visit an attacker-controlled webpage. This could occur through deceptive campaigns like phishing or malvertising, or by users visiting compromised legitimate websites. Once the crafted HTML page is loaded, the vulnerability is triggered, allowing the attacker's code to run within the browser's sandbox.

Google has confirmed that an exploit for CVE-2026-11645 exists in the wild and has been actively used in attacks. While specific details about the ongoing exploitation incidents have been kept restricted by Google to allow a majority of users to update their browsers, the company's immediate emergency patch indicates the severity and active threat situation. Such restrictions are also common when the bug might exist in third-party libraries used by other projects. This practice prevents further exploitation before widespread patching.

This incident is not isolated. It marks the fifth Chrome zero-day vulnerability patched by Google this year alone, demonstrating a consistent targeting of the browser by threat actors. Previous exploited zero-days in Chrome in 2026 include:

  • CVE-2026-2441: An iterator invalidation bug in CSSFontFeatureValuesMap, addressed in mid-February.
  • CVE-2026-3909: An out-of-bounds write weakness in the Skia 2D graphics library, patched in March.
  • CVE-2026-3910: An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, also patched in March.
  • CVE-2026-5281: A use-after-free weakness in Dawn, the cross-platform implementation of the WebGPU standard, addressed in April.

These recurring zero-day exploitations show the persistent efforts by malicious actors to compromise web browsers to gain initial access, steal data, or penetrate networks further. Our analysis of Google Chrome zero-day vulnerability CVE-5419 detailed similar attack patterns and the need for prompt updates. A recent blog post detailing another Google Chrome zero-day vulnerability also showed the rapid response required for such threats. For context on Google's response to these threats, refer to our analysis of Chrome zero-days exploited in 2025. The pattern in these vulnerabilities, particularly those affecting the V8 engine, suggests attackers continue to focus on core browser components that render and execute dynamic web content.

Affected Products and Versions

The CVE-2026-11645 vulnerability affects Google Chrome on multiple operating systems. Users running versions before the patched versions are vulnerable.

The following versions of Google Chrome are confirmed to be affected:

  • Google Chrome Stable Desktop channel versions prior to 149.0.7827.102 on Windows and Linux.
  • Google Chrome Stable Desktop channel versions prior to 149.0.7827.103 on Mac.

Organizations should identify and inventory all Google Chrome instances in their environment and compare them against these affected version ranges to determine their exposure to CVE-2026-11645.

Detection

Detecting CVE-2026-11645 exploitation in real-time can be challenging. It is a zero-day vulnerability with limited public details about specific exploit payloads. However, a multi-layered approach using endpoint, network, and logging visibility can help identify post-exploitation activities or indicators.

Endpoint Detection and Response (EDR) Systems:

  • Monitor for unusual process execution from the Chrome browser process (e.g., chrome.exe spawning child processes like cmd.exe, powershell.exe, or other untypical browser helper processes).
  • Look for suspicious file writes or modifications in user profile directories or system critical locations by Chrome processes.
  • Implement rules to detect abnormal memory access patterns or unexpected code execution in the chrome.exe process space.
  • Identify attempts by Chrome processes to access network resources outside of typical browsing behavior or to connect to known malicious IP addresses or domains.

Network Monitoring:

  • Monitor network traffic for outbound connections from user workstations running Chrome to unusual or unknown IP addresses or domains, particularly those deviating from baselines, and analyze DNS queries for suspicious domain resolution.
  • Look for unexpected increases in data exfiltration attempts or communication with command-and-control (C2) servers.

Logging and Alerting:

  • Regularly review browser, operating system event (e.g., Windows Event Log, Linux audit logs), and security software logs for anomalies tied to Chrome processes.
  • Focus on alerts related to process creation, network connections, and file system activity initiated by the browser.
  • Maintain full web proxy or firewall logs to monitor HTTP/S traffic and identify requests to known malicious URLs or unusual user agent strings.

Because the vulnerability involves crafted HTML pages, organizations should prioritize strong email and web filtering solutions to block access to known malicious sites or content. While Google has not yet publicly detailed specific Indicators of Compromise (IOCs) for this zero-day, general vigilance against common web-based attack patterns remains crucial.

Remediation

Prompt remediation is essential due to the active exploitation of CVE-2026-11645. The most effective remediation is to update Google Chrome to the patched versions immediately.

Patching:

  • For Windows and Linux users: Update Google Chrome to version 149.0.7827.102 or later.
  • For Mac users: Update Google Chrome to version 149.0.7827.103 or later.

Users can typically update Chrome by navigating to chrome://settings/help or by restarting the browser, which often triggers an automatic update check. Enterprise environments should use their software deployment tools to push these updates to all managed endpoints.

Workarounds:

While immediate patching is the definitive solution, in scenarios where instant deployment across all systems is not feasible, the following operational mitigations can reduce exposure, though they may impact usability:

  • Temporarily restrict access to untrusted or suspicious websites through network proxies or firewalls, and consider enforcing stricter browser security settings or deploying browser isolation technologies.
  • Educate users on phishing awareness, particularly regarding suspicious links or attachments that could lead to malicious web pages.

Monitoring:

  • After applying patches, continue to monitor systems for any signs of residual compromise or post-exploitation activity, as attackers may have already gained a foothold on some systems prior to patching.
  • Regularly verify that all Chrome instances across the environment are running the latest stable versions to ensure ongoing protection against newly discovered vulnerabilities.
  • Maintain strong endpoint detection and response capabilities.
  • Review security logs for any anomalous behavior originating from browser processes.

Technical Takeaways

  • CVE-2026-11645 is a high-severity zero-day out-of-bounds read/write vulnerability in Google Chrome's V8 JavaScript engine.
  • The flaw enables remote attackers to achieve arbitrary code execution in the browser's sandbox via crafted HTML pages.
  • Google confirmed active exploitation of CVE-2026-11645 in the wild, which required an emergency patch.
  • Affected Chrome versions are those prior to 149.0.7827.102 for Windows/Linux and 149.0.7827.103 for Mac.
  • Successful exploitation can expose data, crash applications, and bypass security mitigations like ASLR.
  • This marks the fifth Chrome zero-day patched in 2026, indicating persistent targeting of browser vulnerabilities.