Chrome V8 CVE-2026-11645 exploitation

Summary

CVE-2026-11645 is a high-severity out-of-bounds memory-access vulnerability in V8, Chrome's JavaScript and WebAssembly engine. Google released Chrome Stable 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux on 2026-06-08, and explicitly stated that an exploit for CVE-2026-11645 exists in the wild.

The durable defender lesson is browser zero-day response discipline: treat the finding as active client-side exploitation even when the public advisory withholds campaign, target, and exploit-chain details.

Tags

• ops
• operations
• Google Chrome
• Chromium
• V8
• CVE-2026-11645
• active exploitation
• browser zero-day
• client-side exploitation
• patch management
• endpoint response

Why this matters

• Chrome and Chromium-derived browsers are high-reach client-side attack surface across enterprise endpoints, developer workstations, and BYOD systems.
• V8 flaws can be triggered through crafted web content; public NVD wording for CVE-2026-11645 describes arbitrary code execution inside the Chrome sandbox via a crafted HTML page in versions before 149.0.7827.103.
• Google confirmed in-the-wild exploitation but did not publish actor, target, lure, or post-exploitation details, so defenders should not wait for named-campaign reporting before patching.
• Other Chromium-based browsers may need separate vendor updates after the Chrome fix lands.

Operational characteristics

• Affected component: Google Chrome V8 JavaScript / WebAssembly engine.
• Exploit status: Google says an exploit for CVE-2026-11645 exists in the wild.
• Vulnerability class: out-of-bounds memory access in V8; NVD describes out-of-bounds read and write leading to arbitrary code execution inside the sandbox through crafted HTML.
• Fixed Chrome versions: 149.0.7827.102/.103 for Windows and macOS; 149.0.7827.102 for Linux, rolling out from 2026-06-08.
• Public attribution: none in the reviewed public sources. Keep actor, malware, and target-sector attribution unset unless Google, CISA, or another primary source publishes follow-up detail.

Defender heuristics

• Prioritize emergency update coverage for Chrome on endpoints that browse the open internet, handle email/web links, or run privileged SaaS and administrative sessions.
• Check Chromium-derived browsers separately, including Microsoft Edge, Brave, Vivaldi, Opera, and embedded Chromium runtimes where enterprise software exposes web content.
• Hunt for endpoints that accessed unusual web content shortly before browser crashes, renderer-process anomalies, sandbox escapes, unsigned child processes, unexpected download execution, credential prompts, or suspicious extension changes.
• Correlate endpoint events with proxy, DNS, secure-web-gateway, and EDR telemetry around the patch window; preserve evidence before wiping systems where exploitation is suspected.
• For high-risk users, consider temporary isolation or stricter browser-site controls until update telemetry confirms the fixed build is deployed.

Related pages

• Microsoft Defender CVE-2026-41091 / CVE-2026-45498 exploitation
• AI-brand impersonation phishing and malvertising
• Browser-based developer IDE OAuth token theft

Sources

• Google Chrome Releases: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11645
• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-11645
• The Hacker News summary: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html