Google patches actively exploited Chrome V8 zero-day (CVE-2026-11645)

On 9 June 2026, Google shipped an emergency update to its Chrome browser to fix CVE-2026-11645, a high-severity zero-day in the V8 JavaScript and WebAssembly engine that it acknowledged is already being exploited in attacks. It is the fifth Chrome zero-day Google has patched in 2026.

What happened

CVE-2026-11645 is an out-of-bounds read and write in V8, carrying a CVSS score of 8.8. By luring a victim to a malicious page, a remote attacker can corrupt memory in the engine and execute arbitrary code inside Chrome's renderer. As is standard practice, Google said an "exploit for CVE-2026-11645 exists in the wild" but withheld further technical detail to give users time to update before the bug is reverse-engineered from the patch.

The flaw was reported on 27 April 2026 by a researcher using the handle "303f06e3", who received a $55,000 bug bounty. Google addressed it in Chrome Stable versions 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux, with the rollout reaching users over the following days.

Why it matters

V8 is one of the most heavily targeted attack surfaces in the modern browser: a memory-corruption bug there can be chained with a sandbox escape to give an attacker code execution on the host, which is why these flaws are prized for drive-by compromise and targeted spyware delivery. With a working exploit already circulating, the gap between Google's disclosure and a user actually restarting Chrome to apply the fix is exactly the window attackers race to exploit — making prompt updating, including of the many Chromium-based browsers that inherit V8, the only meaningful mitigation.