CVE-2026-11645: Chrome Zero-Day Vulnerability Exploited in the Wild

CVEs

June 09, 2026

3 min read

CVE-2026-11645: Chrome Zero-Day Vulnerability Exploited in the Wild

SOC Prime Team
SOC Prime Team linkedin icon Follow

Add to my AI research

ChatGPT icon Perplexity icon ClaudeAI icon Gemini icon
Table of Contents

Subscribe to Weekly Digest

Exclusive to SOC Prime users

Newsletter Icon

Google has released emergency Chrome updates to address a Chrome zero-day vulnerability, a high-severity out-of-bounds read/write issue in the V8 JavaScript engine. Google says an exploit exists in the wild, and the patched Stable builds are rolling out as 149.0.7827.102.103 for Windows and Mac and 149.0.7827.102 for Linux.

Public reporting says the flaw can be triggered through a specially crafted HTML page and may allow a remote attacker to execute arbitrary code inside the browser’s sandbox. SecurityWeek adds that the bug is the fifth Chrome zero-day exploited in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.

The most important details for CVE-2026-11645 are still limited because Google has restricted bug details while updates propagate. The company says the vulnerability was reported in late April 2026 by an anonymous researcher, and SecurityWeek reports that the researcher received a $55,000 reward.

CVE-2026-11645 analysis

For CVE-2026-11645 analysis, the confirmed public description remains narrow: Google lists the issue as “out of bounds memory access in V8,” while BleepingComputer and SecurityWeek describe it as an out-of-bounds read/write flaw. In practical terms, that means malicious web content can push the engine beyond intended memory boundaries, which may expose sensitive data, crash the browser, or create a path to code execution within the sandbox.

From an exposure standpoint, CVE-2026-11645 affects Chrome desktop users who have not yet moved to the patched 149 release. BleepingComputer notes that successful exploitation can lead to heap corruption and unauthorized access beyond the intended memory buffer, and also says the flaw could help attackers bypass protections such as ASLR, potentially making a second vulnerability easier to weaponize.

At the time of writing, there is no public CVE-2026-11645 PoC in the cited sources, and Google has not disclosed technical exploit details or victimology. SecurityWeek notes that no information is available about the attacks, although it says the zero-day was likely paired with a sandbox escape flaw in real-world operations.

Explore Detections

CVE-2026-11645 Mitigation

The immediate CVE-2026-11645 mitigation step is to update Chrome to the patched Stable versions Google released on June 8, 2026. Users who do not update manually will generally receive the fix automatically on the next browser relaunch, but Google says rollout can take days or weeks to fully reach all users.

For defenders, detection of CVE-2026-11645 is limited because Google has intentionally withheld deeper technical information, and there are no published IOCs related to exploitation of CVE-2026-11645 in the cited reporting. In practice, teams should detect CVE-2026-11645 exposure by identifying unmanaged or outdated Chrome installations, prioritizing high-risk user groups, and confirming that enterprise fleets have reached the fixed 149 builds.

FAQ

What is CVE-2026-11645 and how does it work?

CVE-2026-11645 is a high-severity Chrome V8 memory-safety flaw. Google describes it as out-of-bounds memory access in V8, and public reporting says a remote attacker can use a specially crafted HTML page to trigger the bug and potentially execute code inside the browser sandbox.

When was CVE-2026-11645 first discovered?

The public sources do not provide a private discovery date, but Google’s advisory and SecurityWeek say the issue was reported in late April 2026 by an anonymous researcher. Google announced the fix on June 8, 2026, and media coverage followed on June 9, 2026.

What is the impact of CVE-2026-11645 on systems?

The main impact is memory corruption in the browser process. Public reporting says exploitation can expose memory outside the intended buffer, trigger crashes, and potentially support arbitrary code execution inside the Chrome sandbox.

Can CVE-2026-11645 still affect me in 2026?

Yes. Systems can still be exposed in 2026 if they continue running unpatched Chrome desktop builds and users visit malicious web content before the update is applied. Google explicitly says an exploit exists in the wild.

How can I protect myself from CVE-2026-11645?

Update Chrome immediately to the latest Stable build, restart the browser to ensure the patch is applied, and verify that managed endpoints are no longer running older versions. Because Google has restricted technical details, rapid patching is the most reliable defense.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

More CVEs Articles

CVE-2026-50751: Check Point VPN Authentication Bypass Exploited in Targeted Attacks 4 min read CVEs CVE-2026-50751: Check Point VPN Authentication Bypass Exploited in Targeted Attacks by SOC Prime Team CVE-2026-20245: Cisco SD-WAN Manager Zero-Day Enables Root Command Execution 4 min read CVEs CVE-2026-20245: Cisco SD-WAN Manager Zero-Day Enables Root Command Execution by SOC Prime Team CVE-2026-49975: HTTP/2 Bomb Attack Can Knock Web Servers Offline in Seconds 4 min read CVEs CVE-2026-49975: HTTP/2 Bomb Attack Can Knock Web Servers Offline in Seconds by SOC Prime Team