Google issued an emergency update to Chrome on June 9, patching CVE-2026-11645 — a high-severity out-of-bounds read and write vulnerability in the V8 JavaScript engine that threat actors were already exploiting in the wild before the fix shipped. The update brings Chrome to version 149.0.7827.102 on Windows and Linux, and 149.0.7827.103 on macOS. CVE-2026-11645 is the fifth Chrome zero-day patched under active exploitation conditions in 2026 — a pace that surpasses Chrome’s historical annual rates and marks a significant escalation in browser attack surface activity in the first half of the year.
CVE-2026-11645: V8 Out-of-Bounds Flaw at the Core of the Attack Chain
V8 is Chrome’s JavaScript engine: the component responsible for parsing and executing the JavaScript that every website delivers to the browser. Out-of-bounds read and write vulnerabilities in V8 allow attackers to corrupt heap memory inside Chrome’s sandboxed renderer process — the isolated execution environment where web content runs. Heap corruption of this kind exposes adjacent memory region contents, enables bypasses of address space layout randomization, and produces code execution within the browser sandbox.
An anonymous security researcher reported CVE-2026-11645 to Google in late April 2026, approximately six weeks before the emergency patch. Google awarded a $55,000 bug bounty consistent with high-severity V8 reports. The six-week gap between initial report and patch release suggests the flaw was under internal review when Google confirmed active exploitation in the wild, compressing the final release timeline. Google is withholding detailed technical information about the vulnerability’s mechanics until Chrome’s automatic update rollout has reached a broad user base — consistent policy for zero-days confirmed exploited before fixes reach all affected installations.
How CVE-2026-11645 Chains with a Sandbox Escape for Full OS Code Execution
Active exploitation of CVE-2026-11645 does not stop at Chrome’s renderer sandbox. Threat actors are pairing the V8 flaw with a second vulnerability — a sandbox escape — to break out of Chrome’s process isolation entirely and execute code at the OS level with the privileges of the browser process. The combined two-flaw chain delivers full system access, enabling credential theft, data exfiltration, and persistent footholds on the underlying operating system.
The distinction between the V8 flaw exploited alone versus as part of this chain matters for understanding the scope of risk. A memory corruption bug contained within Chrome’s renderer sandbox is limited to browser-scoped data — session cookies, locally cached content, and credentials accessible through the browser’s own stores. The sandbox escape attached to CVE-2026-11645 removes that boundary, exposing the full operating system: filesystem contents, memory of other running processes, network credentials, and anything else the browser process can reach. The resulting capability matches that of a traditional remote code execution vulnerability in a desktop application.
Chrome’s Five Actively Exploited Zero-Days in 2026 and the AI-Assisted Discovery Pace
CVE-2026-11645 is the fifth Chrome zero-day confirmed under active exploitation in 2026. The four preceding it are CVE-2026-2441, CVE-2026-3909 and CVE-2026-3910 — exploited together as a chained attack — and CVE-2026-5281. Chrome 149’s initial stable release — version 149.0.7827.53, shipped four days before this emergency update — patched 429 vulnerabilities, a record for any single Chrome release, with no actively exploited flaws among them. Within four days of that record-breaking release, Google issued a separate emergency patch for an actively exploited zero-day not included in it.
Google has attributed the accelerating vulnerability discovery pace broadly to AI-assisted research tooling. The five zero-days in the first half of 2026 reflect a compressed cycle from discovery to in-the-wild exploitation — the same AI tooling that external researchers and Google’s own security teams are applying to browser codebases has shortened the window between vulnerability identification and operational attack use.
Chrome 149.0.7827.102 Update Required for Edge, Brave, Opera, and All Chromium Browsers
V8 is the shared JavaScript runtime underlying Chrome and every major Chromium-derived browser, including Microsoft Edge, Brave, and Opera. CVE-2026-11645 affects the entire Chromium ecosystem until each vendor ships its corresponding update. Enterprise environments running any unpatched Chromium-based browser on endpoints remain exposed to the full exploitation chain — including the sandbox escape and OS code execution capability — until the update is applied.
The patched Chrome versions are 149.0.7827.102 for Windows and Linux and 149.0.7827.103 for macOS. Chrome distributes updates automatically, but enterprise deployments running managed browser configurations may require administrator action to push the update before automatic rollout completes. Microsoft, Brave, and Opera each maintain separate release timelines for their Chromium-based products; administrators running those browsers should check vendor-specific advisories to confirm the patched version numbers applicable to their deployments before declaring endpoints protected.
