Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CISA KEV Highlights LiteLLM RCE (CVE-2026-42271) & Check Point VPN Auth Bypass (CVE-2026-50751)
CISA KEV Highlights LiteLLM RCE (CVE-2026-42271) & Check Point VPN Auth Bypass (CVE-2026-50751)
Jun 09, 2026
SOCRadar® Cyber Intelligence Inc. | Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks
Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks
Jun 09, 2026
SOCRadar® Cyber Intelligence Inc. | Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Jun 08, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Jun 09, 2026
6 Mins Read
Moon

CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution

CVE-2026-11645 is a high-severity Google Chrome zero-day in the V8 JavaScript/WebAssembly engine caused by an out-of-bounds (OOB) read/write condition. Google has confirmed it is aware that an exploit exists in the wild, making this an urgent patching item for any organization running Chrome on desktop endpoints.

Fixes shipped in the Chrome 149 Stable desktop update released June 8, 2026, with rollout expected over days or weeks.

This post covers what the vulnerability is, what’s affected, what is known about exploitation, and what defenders should do immediately.

What Is CVE-2026-11645?

CVE-2026-11645 (CVSS 8.8) is an out-of-bounds read and write vulnerability in Chrome’s V8 engine, the component responsible for executing JavaScript and WebAssembly (Wasm).

Details of CVE-2026-11645 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-11645 (SOCRadar Vulnerability Intelligence)

Out-of-bounds memory access bugs matter because they can corrupt memory in ways attackers use to gain strong exploitation primitives, such as reading sensitive data from process memory or manipulating objects and pointers to redirect execution. In practical terms, downstream advisories describe the impact as arbitrary code execution inside the browser sandbox via a crafted HTML page.

Which Chrome Versions Are Fixed?

Google shipped fixes for CVE-2026-11645 in the Chrome 149 Stable channel desktop update released on June 8, 2026.

Patched Stable versions called out in public reporting are:

  • Windows: 149.0.7827.102
  • macOS: 149.0.7827.103
  • Linux: 149.0.7827.102

If your environment runs an older Chrome build than the versions above, treat it as potentially vulnerable until confirmed otherwise by your software inventory or endpoint management tooling.

One operational nuance that often trips up response teams: updating is not enough if users do not relaunch Chrome. Chrome commonly downloads updates in the background, but the patched binary does not take effect until the browser restarts.

How Does Exploitation Work in Real Terms?

Public detail for CVE-2026-11645 is limited, which is common for Chrome zero-days while patches propagate. What is confirmed is the vulnerability class and location: an OOB read/write in V8, reachable via crafted web content (often summarized as a crafted HTML page).

From a defender’s perspective:

  • Exploitation can be delivered through normal browsing. Users may only need to visit a malicious or compromised page.
  • Successful exploitation can yield arbitrary code execution inside the browser’s sandbox (within the renderer or other sandboxed browser process context).
  • Real-world campaigns often pair a renderer exploit with a separate sandbox escape to break out and reach the OS, but public reporting does not confirm whether this CVE was used with a specific follow-on sandbox escape.

Because the bug sits in V8, it falls into a category of browser issues that attackers often target when they want reliable exploitation against up-to-date endpoints.

Is CVE-2026-11645 Being Exploited in the Wild?

Yes. Google’s bulletin states that “an exploit exists in the wild.” That statement alone is enough to treat this as an incident-prevention priority even without indicators of compromise or campaign details.

At the time of the available reporting:

  • No attribution is confirmed.
  • No public indicators of compromise (IOCs) are provided.
  • No exploit chain specifics (delivery, targets, post-exploitation actions) are described publicly.

Credible media reporting also indicates the bug was reported to Google in late April 2026 by an anonymous researcher, with a reported $55,000 reward. This detail is secondary to Google’s own exploitation statement, and it should be treated as media reporting rather than a vendor-confirmed fact.

Track Exploited Browser Vulnerabilities with SOCRadar

Browser zero-days like CVE-2026-11645 require fast action because exploitation can begin before many endpoints are fully patched. SOCRadar’s Cyber Threat Intelligence module helps security teams follow exploited vulnerabilities, vendor advisories, threat actor activity, and related exploit developments from a single view.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

With SOCRadar’s Vulnerability Intelligence capabilities, teams can track affected products, severity, exploitation status, patch details, and remediation urgency. This helps defenders prioritize browser updates, monitor exposure across their environment, and turn vulnerability alerts into faster, evidence-based action.

Why Does This V8 OOB Bug Matter for Enterprises?

Browser zero-days tend to have outsized impact because they sit on the most common and most exposed endpoint workflow: web browsing. Even if initial code execution lands inside the browser sandbox, attacker value can still be high:

  • It can serve as the first stage in a broader intrusion.
  • It can enable attempts at data access within the browser context (for example, manipulating in-process memory or browser session state, depending on the exploit and environment).
  • It can act as a beachhead for follow-on exploitation if combined with other vulnerabilities (for example, a sandbox escape), though that chaining is a common pattern and is not confirmed for this specific CVE based on public details.

This is especially relevant in environments where users routinely access untrusted links, third-party web apps, online documents, or ad-supported content. It is also relevant for executives and high-risk roles that are more likely to be targeted with tailored web lures.

What Should Defenders Do Now?

Prioritize this as an emergency browser update because exploitation has been confirmed.

Patch immediately and verify versions

  • Update Chrome on endpoints to:
  • Windows: 149.0.7827.102
  • macOS: 149.0.7827.103
  • Linux: 149.0.7827.102
  • Confirm the rollout completed via your endpoint management platform, software inventory, or device compliance reporting.

Force a browser relaunch

  • Ensure users restart Chrome after the update so the patched binary is running.
  • In managed environments, consider using policies or prompts that enforce relaunch within a defined maintenance window.

Reduce exposure while patches propagate

If you cannot complete patching immediately across the fleet:

  • Temporarily increase controls around high-risk browsing (for example, limiting access to unknown categories for unmanaged endpoints).
  • Monitor for suspicious browser-driven activity on endpoints, such as unexpected child processes launched by the browser, unusual network beacons shortly after browsing events, or abnormal crashes in Chrome that could indicate exploit attempts.

Track patch compliance as a security KPI

Because Chrome updates roll out over days or weeks, measure:

  • Percentage of endpoints on patched versions
  • Percentage of endpoints that have restarted Chrome post-update
  • Exceptions, such as kiosk devices, VDI golden images, and privileged admin workstations

CVE-2026-11645 is a reminder that browser patch latency turns directly into attacker opportunity. Treat the patched version threshold as the fastest, most reliable risk reduction step.