Chrome Zero-Day CVE-2026-11645 Under Attack: Google Releases Emergency Fix

By /
google chrome cve-2025-6558

Google has released an important security update for its Chrome browser, fixing 74 vulnerabilities, including a high-severity zero-day flaw that is already being actively exploited by cybercriminals. The vulnerability, identified as CVE-2026-11645, affects Chrome’s V8 engine and could allow attackers to execute malicious code on targeted systems.

Security experts are urging users and organizations to update their browsers immediately to protect themselves from potential attacks.

The most critical issue addressed in the latest Chrome security update is CVE-2026-11645, which has received a CVSS score of 8.8, indicating a high-severity security risk.

According to the U.S. National Vulnerability Database (NVD), the flaw is an out-of-bounds read and write vulnerability in Chrome’s V8 engine, the component responsible for processing JavaScript and WebAssembly code.

Researchers explained that a remote attacker could exploit the vulnerability by tricking a user into visiting a specially crafted malicious HTML page. Successful exploitation could allow the attacker to execute arbitrary code within Chrome’s sandbox environment, potentially leading to further compromise of the affected system.

Because web browsers are one of the most frequently used applications worldwide, vulnerabilities like this are highly attractive targets for threat actors seeking to infect devices, steal data, or gain unauthorized access.

The V8 engine is a critical part of Google Chrome. It is responsible for executing JavaScript code and supporting WebAssembly applications that power modern websites and web-based services.

Since almost every website relies on JavaScript, any security weakness in the V8 engine can have widespread consequences. Attackers often focus on browser engines because a successful exploit may require nothing more than convincing a victim to visit a malicious webpage.

In this case, the vulnerability involves improper memory access, known as an out-of-bounds read and write issue. Such flaws can lead to memory corruption and may be leveraged to execute malicious code.

The vulnerability was discovered and responsibly reported by a security researcher known as “303f06e3” on April 27, 2026.

As part of Google’s Vulnerability Reward Program, the researcher received a $55,000 bug bounty for identifying and reporting the flaw before it could cause broader damage.

Bug bounty programs play a crucial role in strengthening cybersecurity by encouraging researchers to report vulnerabilities directly to vendors instead of selling or publicly disclosing them.

Google has confirmed that an exploit for CVE-2026-11645 exists in the wild. This means attackers have already been observed using the vulnerability in real-world attacks.

However, as is common practice with actively exploited vulnerabilities, Google has not released technical details about the attack methods. Limiting public information helps prevent additional threat actors from creating new exploits before users have time to apply security updates.

The company stated that access to detailed bug information will remain restricted until the majority of users have updated their browsers.

google zero-day

The discovery of CVE-2026-11645 highlights the ongoing security challenges facing modern web browsers.

With this latest patch, Google has now fixed five actively exploited Chrome zero-day vulnerabilities in 2026. Previously addressed zero-days include:

  • CVE-2026-2441
  • CVE-2026-3909
  • CVE-2026-3910
  • CVE-2026-5281
  • CVE-2026-11645

The increasing number of browser-based attacks demonstrates how threat actors continue to target widely used software to maximize the impact of their campaigns.

Organizations that rely on Chrome across large environments should ensure that patch management processes are functioning effectively and that browser updates are deployed as quickly as possible.

To stay protected against CVE-2026-11645 and other recently fixed vulnerabilities, users should update Chrome immediately.

Google recommends upgrading to the following versions:

  • Windows: Chrome 149.0.7827.102 or 149.0.7827.103
  • macOS: Chrome 149.0.7827.102 or 149.0.7827.103
  • Linux: Chrome 149.0.7827.102

To check for updates:

  1. Open Google Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Select Help.
  4. Click About Google Chrome.
  5. Allow Chrome to download and install available updates.
  6. Click Relaunch to complete the update process.

Users should verify that the browser has restarted successfully to ensure the patch is fully applied.

The vulnerability impacts the Chromium codebase, meaning other Chromium-based browsers may also be vulnerable until their respective vendors release updates.

Affected browsers may include:

  • Microsoft Edge
  • Brave
  • Opera
  • Vivaldi

Users of these browsers should monitor vendor announcements and install security updates as soon as they become available.

The active exploitation of CVE-2026-11645 serves as another reminder of the importance of timely software updates. Browser vulnerabilities are especially dangerous because they can often be triggered simply by visiting a malicious website.

With attackers already exploiting this Chrome zero-day in real-world attacks, delaying updates could leave systems exposed to compromise. Home users, businesses, and enterprise security teams should prioritize applying the latest Chrome security patches immediately and ensure all Chromium-based browsers are updated as soon as fixes become available.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : Palo Alto PAN-OS Flaw CVE-2026-0257 Actively Exploited

Scroll to Top