Google Patches Actively Exploited High-Severity Chrome Zero-Day (CVE-2026-11645)

Executive Summary

Google has issued an emergency security update for its Chrome web browser to address a high-severity zero-day vulnerability tracked as CVE-2026-11645. The flaw, an out-of-bounds memory access issue in the V8 JavaScript engine, is confirmed to be actively exploited in the wild. Successful exploitation allows a remote attacker to execute arbitrary code within the browser's sandbox by persuading a user to visit a malicious website. This marks the fifth Chrome zero-day patch released in 2026, highlighting a persistent trend of attackers targeting browser vulnerabilities. All Chrome users on Windows, macOS, and Linux are strongly advised to update to the latest version immediately to protect against ongoing attacks.

Vulnerability Details

CVE-2026-11645 is classified as an out-of-bounds memory access vulnerability within V8, Chrome's open-source JavaScript and WebAssembly engine. This type of flaw allows an attacker to read or write to memory outside of the intended buffer. By crafting a malicious HTML page with specific JavaScript code, an attacker can trigger this condition.

• CVSS Score: 8.8 (High)
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (User must navigate to a malicious page)

Exploitation can lead to heap corruption, which can be leveraged to bypass security mechanisms and achieve arbitrary code execution within the context of the browser's sandboxed renderer process. While the sandbox provides a layer of protection, attackers often chain such exploits with a second vulnerability (a sandbox escape) to gain full control over the underlying system.

Affected Systems

• Google Chrome versions prior to 149.0.7827.103 for Windows and macOS.
• Google Chrome versions prior to 149.0.7827.102 for Linux.
• Other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also likely affected and will require updates from their respective vendors.

Exploitation Status

Google has explicitly stated, "Google is aware that an exploit for CVE-2026-11645 exists in the wild." This confirms that threat actors are actively using this vulnerability in real-world attacks. As is typical, Google has not released technical details about the exploit or the identity of the attackers to prevent wider abuse and give users time to patch. The vulnerability was responsibly disclosed by a researcher on April 27, 2026.

This is the fifth Chrome zero-day patched in 2026, indicating a sustained focus by threat actors on browser-based exploits for initial access and malware delivery.

Impact Assessment

A successful exploit of CVE-2026-11645 could allow an attacker to execute arbitrary code on a victim's machine. This could be used to:

• Install spyware to steal credentials, financial information, and other sensitive data.
• Deploy ransomware to encrypt the user's files.
• Use the compromised machine as part of a botnet.
• Gain an initial foothold in a corporate network, from which to launch further attacks.

Given that the web browser is a primary interface to the internet for most users, a vulnerability like this has a massive potential attack surface, affecting millions of individuals and organizations worldwide.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were provided in the source articles.

Cyber Observables — Hunting Hints

The following patterns may help identify systems at risk or potential exploitation activity:

Detection & Response

Detection focuses on identifying vulnerable software and anomalous browser behavior.

1. Asset Management: Regularly scan all endpoints to ensure that Chrome and other web browsers are updated to the latest patched versions. Use EDR or asset inventory systems to flag non-compliant devices.
2. Endpoint Detection and Response (EDR): Configure EDR policies to monitor for suspicious process chains originating from browsers. An alert should be triggered if chrome.exe spawns a command shell or other unexpected processes. This can be achieved via D3-PA: Process Analysis.
3. Network Security: Employ web filtering and DNS security to block access to known malicious websites and domains. While this may not block a zero-day attack from a new source, it is a critical layer of defense against common threats.

Mitigation

Patching is the primary and most effective mitigation.

1. Update Immediately: All users and administrators must ensure that Google Chrome is updated to version 149.0.7827.103 or later on Windows/macOS and 149.0.7827.102 or later on Linux. Chrome's built-in auto-update feature should handle this, but users can force an update by navigating to Help > About Google Chrome.
2. Patch Chromium Browsers: Users of other Chromium-based browsers should monitor for and apply updates from their vendors as soon as they become available.
3. Principle of Least Privilege: Ensure users do not operate with local administrator privileges for daily tasks. This can limit the impact of a successful exploit, preventing system-wide changes.
4. Enable Site Isolation: Ensure Chrome's Site Isolation feature is enabled, as it provides an additional layer of security by separating the processes of different websites.