Emerging Threats

Google patches Chrome zero-day flaw under active exploitation

Analyst 207||Source: BleepingComputer
Laptop on a neutral surface with a blank screen displaying a soft gradient, in a clean and minimalist setting.

Google has released emergency updates to patch CVE-2026-11645 — the fifth Chrome zero-day flaw it has patched since the start of the year, the company said.

CVE-2026-11645 and the V8 JavaScript engine

Google described CVE-2026-11645 as a high-severity zero-day that stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine. Remote attackers can exploit the flaw via crafted HTML pages to execute arbitrary code inside the browser's sandbox, according to the advisory. Successful exploitation can allow access to data beyond the memory buffer through heap corruption, exposing sensitive information or causing a crash.

The company also warned the vulnerability could be used to bypass protection mechanisms such as Address Space Layout Randomization (ASLR), which in turn “mak[es] it easier to achieve code execution via another weakness.”

How Google rolled out the patch: versions, timing, and distribution

Google issued patched builds for Chrome’s Stable Desktop channel: Windows and Linux users received version 149.0.7827.102, while Mac users received 149.0.7827.103. The fix was released roughly two weeks after an anonymous security researcher reported the issue to Google.

Google cautioned that the security update “could take days or weeks to reach all Chrome users.” At the same time, BleepingComputer reported the update was available immediately when it checked for updates earlier today. Users who do not want to update manually can rely on Chrome to automatically check for updates and install them during the next launch.

How this fits into Google's 2026 zero-day trend

Google said it is “aware that an exploit for CVE-2026-11645 exists in the wild.” It also acknowledged awareness of exploits used in attacks for CVE-2024-0519 but has not shared further details about those incidents.

Since the start of 2026, Google has patched four other zero-days that were exploited in attacks:

  • CVE-2026-2441 — an iterator invalidation bug in CSSFontFeatureValuesMap, addressed in mid-February.
  • CVE-2026-3909 — an out-of-bounds write weakness in the Skia 2D graphics library, fixed in March.
  • CVE-2026-3910 — an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, also fixed in March.
  • CVE-2026-5281 — a use-after-free weakness in Dawn, the cross-platform implementation of the WebGPU standard used by the Chromium project, patched in April.

Last year, Google fixed another eight zero-days that had been exploited in the wild; many of those were reported by the company’s Threat Analysis Group (TAG), which the advisory said is known for identifying and tracking zero-day exploits used in spyware attacks.

What this means for security teams, end users, and potential attackers

Security teams and technologists should prioritize verifying deployed Chrome versions across Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) endpoints and ensure systems install the update. Given Google’s warning that the update could take “days or weeks” to reach all users, teams will need to track update status and consider manual deployment where rapid coverage is required.

End users can either check for updates themselves or rely on Chrome’s automatic update mechanism to install the patch “during the next launch.” Those who prefer immediate protection can trigger a manual check to install the fixed build.

For adversaries or researchers studying exploitation, the advisory makes clear the bug’s technical utility: it enables out-of-bounds memory access and can assist bypassing ASLR, which may be combined with other weaknesses to achieve code execution.

Conclusion: rapid fixes, restricted disclosures, and a remaining question

Google’s emergency release for CVE-2026-11645 marks the company’s fifth in-the-wild zero-day patch of 2026, underscoring an accelerated cadence of emergency fixes this year. The company said it will keep access to bug details restricted “until a majority of users are updated with a fix,” and that it will retain restrictions when a bug exists in a third-party library that other projects also depend on but have not yet fixed. Google also noted awareness of CVE-2024-0519 exploits used in attacks but has not provided further details about those incidents — a point that remains unresolved for defenders tracking active exploitation.

Original reporting: https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/

ChromeEmerging ThreatsGoogleZero-DayArbitrary Code ExecutionBrowser ExploitsV8 Javascript EngineCVE-2026-11645
Related Intelligence

Continue Reading

Smartphone on a cluttered desk shows a blurred malicious link on its screen.

WhatsApp Disrupts NSO Group's Spearphishing Campaign

WhatsApp has successfully shut down a sneaky phishing campaign by notorious spyware firm NSO Group, which tried to trick users into clicking malicious links to spy on them. The messaging giant is now asking a US court to hold NSO Group accountable for violating a ban on targeting users.

Analyst 207
Network operations center with a laptop showing a blurred VPN configuration screen amidst office equipment.

CISA Mandates Patching of Exploited Check Point VPN Bug

A critical vulnerability in Check Point VPNs, known as CVE-2026-50751, has been exploited in dozens of organizations worldwide, with one incident linked to Qilin ransomware. This bug allows hackers to bypass authentication and establish remote access, putting targeted organizations at risk.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit server room with a highlighted server in the foreground.

LiteLLM Flaw Exploited in Wild, Enables Unauthenticated RCE

A high-severity flaw in BerriAI's LiteLLM, known as CVE-2026-42271, has been actively exploited, allowing unauthenticated users to execute commands remotely. This critical vulnerability affects LiteLLM versions 1.74.2 to 1.83.7 and has been deemed a major security risk.

Analyst 207
Professional workspace with laptop, papers, and office supplies, blurred email inbox in background.

North Korea Targets Developers with 250 Fake Job Offers in Credential Heist

In a sneaky credential heist, hackers sent over 250 fake job offers to developers at nearly 100 US organizations, disguising phishing attempts as recruitment messages. The six-week scam targeted professionals in tech, education, and finance.

Analyst 207