Google Patches Fifth Chrome Zero-Day of 2026

Key Takeaways

• CVE-2026-11645 is an out-of-bounds read/write flaw in Chrome's V8 engine that allows arbitrary code execution
• Patched versions are rolling out now: Windows and Linux (149.0.7827.102), Mac (149.0.7827.103)
• This is the fifth Chrome zero-day Google has patched in 2026, following flaws in CSS, Skia, V8, and WebGPU

Google released an emergency security update on Monday to patch CVE-2026-11645, a high-severity zero-day vulnerability in Chrome that attackers have actively exploited. The flaw affects the V8 JavaScript engine and allows remote code execution through crafted HTML pages.

"Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in its security advisory. The patched versions are now rolling out worldwide: 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac.

An anonymous security researcher reported the vulnerability to Google two weeks before the patch. While Google warns that the update could take days or weeks to reach all users, BleepingComputer confirmed the update was available immediately when checking manually.

How the Vulnerability Works

CVE-2026-11645 stems from an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine. Remote attackers can exploit it by tricking users into loading a malicious HTML page. Once triggered, the flaw enables arbitrary code execution inside Chrome's sandbox.

Successful exploitation causes heap corruption, which lets attackers access data outside the intended memory buffer. This can expose sensitive information or crash the browser. The flaw can also bypass Address Space Layout Randomization (ASLR), a protection mechanism that makes code execution attacks harder. Disabling ASLR opens the door for attackers to chain this bug with other vulnerabilities.

Google has not disclosed details about how attackers have used the exploit. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the company said. Google also noted it will keep restrictions in place if the bug affects third-party libraries that other projects depend on but have not yet patched.

How to Update Chrome

Chrome checks for updates automatically and installs them on the next launch. Users who want to update immediately can do so manually:

1. Open Chrome and click the three-dot menu in the top-right corner
2. Go to Help > About Google Chrome
3. Chrome will check for updates and download the patch automatically
4. Click Relaunch to restart the browser with the update applied

Five Zero-Days in Six Months

CVE-2026-11645 is the fifth Chrome zero-day Google has patched in 2026. The pace mirrors last year, when Google fixed eight zero-days exploited in the wild. Many of those were discovered by Google's Threat Analysis Group (TAG), which tracks zero-day exploits used in spyware attacks.

The V8 engine has been a recurring target. Two of this year's five zero-days affect V8 directly. The engine powers JavaScript execution in Chrome and other Chromium-based browsers, making it a high-value target for attackers.

Why This Matters for Organizations

Chrome holds roughly 65% of the desktop browser market. A zero-day that enables arbitrary code execution is a serious risk for any organization. The fact that attackers have already used this exploit in the wild means the window for exploitation is open now.

Organizations running Chromium-based browsers like Microsoft Edge or Brave should watch for corresponding patches. These browsers share the V8 engine, so they may be vulnerable to the same flaw until their maintainers release updates.

Frequently Asked Questions

What is CVE-2026-11645?

CVE-2026-11645 is a high-severity vulnerability in Chrome's V8 JavaScript engine. It allows attackers to execute arbitrary code by exploiting an out-of-bounds read and write weakness through malicious HTML pages.

Is my Chrome browser automatically updated?

Chrome checks for updates automatically and installs them on the next launch. However, Google notes the rollout can take days or weeks to reach all users. You can update manually by going to Help > About Google Chrome.

Are other Chromium browsers affected?

Browsers based on Chromium, such as Microsoft Edge and Brave, share the V8 JavaScript engine. They may be vulnerable until their maintainers release patches based on the fix.

How many Chrome zero-days has Google patched in 2026?

Google has patched five zero-day vulnerabilities in Chrome since January 2026. These include flaws in CSS font handling, the Skia graphics library, the V8 engine, and the WebGPU implementation.

How do I know if I have the patched version?

Go to Help > About Google Chrome. The patched versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac.

Source: BleepingComputer