$55,000 was awarded to the researcher who reported CVE-2026-11645.
Emergency patch: scale and severity
Google on June 8 released an emergency update addressing 74 vulnerabilities in Chrome, including a high-severity defect that the company says has been "exploited in the wild." The security bulletin lists fixes for 17 critical vulnerabilities, 55 high-severity ones and two medium-severity ones. Google said the security fixes will roll out "over the coming days/weeks" for Chrome users on Windows, Mac and Linux.
Details of the exploited bug: CVE-2026-11645
CVE-2026-11645 is described as an out-of-bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103. When exploited, the bug "allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page." The flaw has been assigned a high-severity rating of 8.8.
Google credited a security researcher identified as '303f06e3' with reporting the flaw on April 27. According to the bulletin, the researcher has previously reported Chrome vulnerabilities and was awarded $55,000 for disclosing CVE-2026-11645 to the Chrome security team.
Google's disclosure posture and evidence of exploitation
The company confirmed it is aware of the flaw being exploited in the wild but did not provide additional details about the exploitation evidence. In its advisory Google said: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix." It added: "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."
Those statements frame the limited public detail about proof of active exploitation: Google maintains restrictions on technical information until updates reach a large share of users, and may continue those restrictions when the vulnerability involves third‑party libraries used across projects.
What this means for technologists, enterprises, and end users
- Technologists and security teams: prioritize tracking the Chrome rollout across Windows, Mac and Linux and prepare to validate that affected versions prior to 149.0.7827.103 are updated. Expect restricted bug details until updates are broadly deployed, particularly where third-party libraries are involved.
- Enterprises and procurement leaders: plan accelerated patching windows and verification, given that Google has labeled CVE-2026-11645 as high severity and confirmed exploitation in the wild. Coordinate inventory of Chrome versions in use to identify systems that require immediate attention.
- End users: watch for the update as it becomes available over the coming days/weeks and apply it on Windows, Mac and Linux systems to ensure protection against a vulnerability that permits remote execution via crafted HTML.
Context and closing observation
Google noted this is the fifth Chrome zero-day in 2026 that was exploited before a patch was available. That cadence, coupled with Google's practice of restricting technical details until a majority of users receive fixes or until dependent projects have issued their own fixes, leaves administrators and defenders balancing speed of deployment against limited public indicators about active exploitation.
For now, the concrete actions are narrow and direct: apply the published Chrome updates when they arrive, confirm affected installations are no longer running versions prior to 149.0.7827.103, and monitor for further advisories from Google about related third-party library fixes and any expanded disclosure.
Original story: https://www.infosecurity-magazine.com/news/google-patch-chrome-vulnerability/
