Google Patches Fifth Chrome Zero-Day of 2026
Key Takeaways
- CVE-2026-11645 is an out-of-bounds read/write flaw in Chrome's V8 engine that allows arbitrary code execution
- Patched versions are rolling out now: Windows and Linux (149.0.7827.102), Mac (149.0.7827.103)
- This is the fifth Chrome zero-day Google has patched in 2026, following flaws in CSS, Skia, V8, and WebGPU
Google released an emergency security update on Monday to patch CVE-2026-11645, a high-severity zero-day vulnerability in Chrome that attackers have actively exploited. The flaw affects the V8 JavaScript engine and allows remote code execution through crafted HTML pages.
"Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in its security advisory. The patched versions are now rolling out worldwide: 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac.
An anonymous security researcher reported the vulnerability to Google two weeks before the patch. While Google warns that the update could take days or weeks to reach all users, BleepingComputer confirmed the update was available immediately when checking manually.
How the Vulnerability Works
CVE-2026-11645 stems from an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine. Remote attackers can exploit it by tricking users into loading a malicious HTML page. Once triggered, the flaw enables arbitrary code execution inside Chrome's sandbox.
Successful exploitation causes heap corruption, which lets attackers access data outside the intended memory buffer. This can expose sensitive information or crash the browser. The flaw can also bypass Address Space Layout Randomization (ASLR), a protection mechanism that makes code execution attacks harder. Disabling ASLR opens the door for attackers to chain this bug with other vulnerabilities.
Google has not disclosed details about how attackers have used the exploit. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the company said. Google also noted it will keep restrictions in place if the bug affects third-party libraries that other projects depend on but have not yet patched.
How to Update Chrome
Chrome checks for updates automatically and installs them on the next launch. Users who want to update immediately can do so manually:
- Open Chrome and click the three-dot menu in the top-right corner
- Go to Help > About Google Chrome
- Chrome will check for updates and download the patch automatically
- Click Relaunch to restart the browser with the update applied
Five Zero-Days in Six Months
CVE-2026-11645 is the fifth Chrome zero-day Google has patched in 2026. The pace mirrors last year, when Google fixed eight zero-days exploited in the wild. Many of those were discovered by Google's Threat Analysis Group (TAG), which tracks zero-day exploits used in spyware attacks.
The V8 engine has been a recurring target. Two of this year's five zero-days affect V8 directly. The engine powers JavaScript execution in Chrome and other Chromium-based browsers, making it a high-value target for attackers.
Logicity's Take
Why This Matters for Organizations
Chrome holds roughly 65% of the desktop browser market. A zero-day that enables arbitrary code execution is a serious risk for any organization. The fact that attackers have already used this exploit in the wild means the window for exploitation is open now.
Organizations running Chromium-based browsers like Microsoft Edge or Brave should watch for corresponding patches. These browsers share the V8 engine, so they may be vulnerable to the same flaw until their maintainers release updates.
Another recent security incident affecting developer infrastructure
Frequently Asked Questions
What is CVE-2026-11645?
CVE-2026-11645 is a high-severity vulnerability in Chrome's V8 JavaScript engine. It allows attackers to execute arbitrary code by exploiting an out-of-bounds read and write weakness through malicious HTML pages.
Is my Chrome browser automatically updated?
Chrome checks for updates automatically and installs them on the next launch. However, Google notes the rollout can take days or weeks to reach all users. You can update manually by going to Help > About Google Chrome.
Are other Chromium browsers affected?
Browsers based on Chromium, such as Microsoft Edge and Brave, share the V8 JavaScript engine. They may be vulnerable until their maintainers release patches based on the fix.
How many Chrome zero-days has Google patched in 2026?
Google has patched five zero-day vulnerabilities in Chrome since January 2026. These include flaws in CSS font handling, the Skia graphics library, the V8 engine, and the WebGPU implementation.
How do I know if I have the patched version?
Go to Help > About Google Chrome. The patched versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Honor X80 Pro Max Leak Points to 11,000mAh Battery
A new leak from Digital Chat Station suggests Honor is preparing an X80 Pro Max with a massive 11,000mAh battery and 90W fast charging. The device would also feature a 6.8-inch flat AMOLED display and the Snapdragon 6 Gen 5 chipset.
Samsung Galaxy M15 and XCover7 Get One UI 8.5 Update
Samsung is rolling out One UI 8.5 to its mid-range Galaxy M15 and rugged XCover7 smartphones. The update includes the May 2026 security patch and is currently available in select Asian markets before a broader global rollout.
5 iOS 27 Features That Stand Out in the First Beta
The iOS 27 developer beta landed just hours ago, and early hands-on testing reveals several quality-of-life improvements. From a customizable Liquid Glass opacity slider to extra-large widgets that fill entire screens, Apple has focused on polish over flash this year.