"An exploit for CVE-2026-11645 exists in the wild," Google acknowledged — a terse line that underpins the urgency of the company's June 2026 Chrome security update.
CVE-2026-11645: an out-of-bounds memory access in V8
The vulnerability tracked as CVE-2026-11645 carries a CVSS score of 8.8 and has been described by the NIST National Vulnerability Database (NVD) as "out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page." In plain terms, the flaw lies in V8 — Chrome's JavaScript and WebAssembly engine — and permits memory access outside intended bounds, enabling arbitrary code execution inside the browser sandbox when exploited from a maliciously constructed web page.
Google's June 2026 update: 74 fixes and specific version targets
Google pushed security updates addressing a total of 74 vulnerabilities in this round. For optimal protection, users should update Chrome to versions 149.0.7827.102/.103 on Windows and macOS, and 149.0.7827.102 for Linux. Google recommends users confirm the update by navigating in Chrome to More > Help > About Google Chrome and selecting "Relaunch" to apply the fixes.
Five actively exploited Chrome zero-days in 2026
CVE-2026-11645 is the fifth Chrome zero-day that Google has acknowledged was actively exploited since the start of the year. The company previously addressed CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Google said it would withhold additional technical specifics about CVE-2026-11645 to ensure a majority of users receive the patch and to reduce the risk of further exploitation.
Researcher "303f06e3" awarded $55,000 for responsible disclosure
The discovery and responsible reporting of CVE-2026-11645 are credited to a security researcher using the handle "303f06e3." The researcher reported the flaw on April 27, 2026, and received a bug bounty payment of $55,000. Google followed its usual disclosure practice by patching the issue and acknowledging the exploit in the wild without releasing technical details.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Prioritize deploying Chrome 149.0.7827.102/.103 across managed fleets and validate that upgrades complete successfully. Monitor for update availability from other Chromium-based vendors and plan patch windows accordingly.
- Enterprises and procurement leaders: Expect similar patches to be released by downstream Chromium-based browser vendors; Microsoft Edge, Brave, Opera, and Vivaldi users should apply vendor-supplied fixes "as and when they become available." Coordinate with desktop management tools to ensure timely rollout.
- End users: Update Chrome now using More > Help > About Google Chrome and select "Relaunch." For users of other Chromium-based browsers, watch vendor channels for equivalent security updates and apply them promptly.
Google's decision to withhold exploit details while confirming active in-the-wild use follows its stated intent to protect the largest number of users during a critical window. The practical step for everyone remains the same: install the patches now and verify the relaunch. As Google continues to address multiple zero-days this year, the cadence of fixes and the emphasis on rapid updates underscore that browser security is maintained as much by vendor patching as by administrators and users who apply those patches.
Source: Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
