Chrome V8 Zero-Day Under Active Exploitation — Update Now

Google released an emergency Chrome update over the weekend to address CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript engine that attackers are actively exploiting in the wild. This marks the fifth Chrome zero-day patched this year, continuing a relentless pace of browser-targeted attacks.

The flaw carries a CVSS score of 8.8 and affects all Chrome versions prior to 149.0.7827.103. According to Google's security advisory, successful exploitation allows remote attackers to execute arbitrary code within the browser sandbox via a crafted HTML page. Google acknowledged that "an exploit for CVE-2026-11645 exists in the wild" but declined to share technical specifics to limit further abuse.

How the Attack Works

Out-of-bounds memory access in V8 typically manifests when the JavaScript engine mishandles array indexing or object property access, allowing attackers to read or write memory outside intended boundaries. In CVE-2026-11645, the vulnerable code path can be triggered through malicious JavaScript embedded in a web page. Visiting a compromised or attacker-controlled site is sufficient to initiate exploitation.

While sandbox restrictions limit what attackers can immediately achieve, browser sandbox escapes have become increasingly common. Pairing CVE-2026-11645 with a sandbox bypass could enable full system compromise. The Skia and V8 zero-days we reported in April demonstrated exactly this chaining technique.

Discovery and Patch Timeline

A security researcher operating under the handle "303f06e3" discovered the vulnerability on April 27, 2026, reporting it through Google's Vulnerability Reward Program. The researcher received a $55,000 bug bounty for responsible disclosure, placing this finding at the upper end of Chrome payouts.

Google shipped the fix in Chrome 149 Stable on June 8, 2026. Updated versions are:

• Windows and macOS: 149.0.7827.102/.103
• Linux: 149.0.7827.102

Chrome typically auto-updates in the background, but users should verify their version by navigating to Settings > About Chrome. Organizations with managed Chrome deployments should push updates immediately.

Fifth Zero-Day of 2026

CVE-2026-11645 joins a growing list of actively exploited Chrome vulnerabilities this year:

1. CVE-2026-2441 - V8 type confusion (January)
2. CVE-2026-3909 - Skia graphics library flaw (April)
3. CVE-2026-3910 - V8 memory corruption (April)
4. CVE-2026-5281 - WebRTC implementation bug (May)
5. CVE-2026-11645 - V8 out-of-bounds access (June)

The concentration of V8-related vulnerabilities underscores why Chrome's JavaScript engine remains a prime target. V8 processes untrusted JavaScript on virtually every web page, making it both security-critical and massively attack surface.

Why Attackers Target Browsers

Browser zero-days command premium prices on both legitimate bug bounty programs and underground markets. They offer several advantages for threat actors:

Universal reach: Chrome controls roughly 65% of the desktop browser market. A working Chrome exploit potentially reaches billions of users.

Silent exploitation: Unlike phishing, which requires user interaction with malicious attachments, browser exploits trigger automatically when visiting a webpage. Watering hole attacks become trivially easy.

Initial access: For APT groups and ransomware operators, browser compromise provides clean initial access to corporate networks. This is particularly valuable now that AI-assisted phishing detection has improved email security.

Recommended Actions

1. Update Chrome immediately - Verify you're running version 149.0.7827.103 or later
2. Enable auto-updates - Ensure Chrome's automatic update mechanism isn't disabled by policy
3. Review browser extensions - Malicious extensions can disable security features or facilitate exploitation
4. Consider enterprise browser isolation - High-value targets should evaluate browser isolation solutions for sensitive workflows

Organizations using Chromium-based browsers including Microsoft Edge and Brave should monitor their respective vendors for corresponding patches. The underlying V8 vulnerability affects the shared engine powering multiple browsers.

Why This Matters

Five actively exploited zero-days in six months signals that browser security is under sustained assault. Security vendors like PortSix have reported increased scanning for browser fingerprinting indicators, suggesting threat actors are actively cataloging vulnerable browser populations.

For security teams, the takeaway is straightforward: treat browser patching with the same urgency as operating system patches. The days of deprioritizing "just a browser update" are over.