All stories
highExploited VulnerabilitiesCVE-2026-11645

Critical Zero-Day in Chrome Exploited: Immediate Browser Updates Urged

Google has patched a critical zero-day vulnerability in Chrome (CVE-2026-11645) that allowed attackers to execute arbitrary code within the browser's sandbox. This flaw was exploited before version 149.0.7827.103 of Chrome, and it underscores the importance of timely updates for users. The anonymous researcher who reported this bug received a $55,000 reward. Defenders should prioritize updating their browsers immediately to mitigate any risks.

Harith Dilshan·Jun 8, 2026·4 min read·Primary source

Summary

Google recently announced an update to Chrome that addresses 74 vulnerabilities, including a zero-day actively exploited in the wild (CVE-2026-11645). This high-severity flaw involved an out-of-bounds read/write issue in V8, enabling remote attackers to execute arbitrary code within the sandbox using a crafted HTML page. The vulnerability was reported by an anonymous researcher and has been patched in Chrome version 149.0.7827.103.

What Happened

In early June 2026, Google released Chrome version 149 with critical security updates addressing numerous vulnerabilities. Among these was CVE-2026-11645, a zero-day flaw that had already seen exploitation in the wild. The vulnerability allowed attackers to execute arbitrary code inside the browser's sandbox by leveraging an out-of-bounds read/write issue within V8, Google's JavaScript engine.

The discovery of this exploit highlights the ongoing challenge of securing complex software like web browsers against sophisticated attacks. While no specific details about the exploits were disclosed, it is likely that threat actors combined this vulnerability with other flaws to escape the sandbox environment and execute malicious code on victims' machines.

Technical Details

CVE-2026-11645 involves an out-of-bounds read/write issue in V8, which is a critical component of Chrome responsible for executing JavaScript. This flaw allowed attackers to craft HTML pages that could manipulate memory boundaries within the browser, leading to arbitrary code execution inside the sandbox environment. The sandbox is designed to isolate web content from the rest of the system, but this vulnerability effectively bypassed these protections.

The zero-day was reported by an anonymous researcher in late April 2026 and identified with Google's internal identifier '303f06e3'. This expert has a history of reporting vulnerabilities to Google, having previously disclosed other Chrome-related issues. For responsibly disclosing CVE-2026-11645, the researcher received a $55,000 reward.

Affected Products and Fixed Versions

The vulnerability affected all versions of Google Chrome prior to 149.0.7827.103. Users running any earlier version are at risk if they encounter malicious web content designed to exploit this flaw. The update to version 149.0.7827.103 resolves the issue, making it crucial for users and organizations to apply this patch promptly.

Exploitation Status

CVE-2026-11645 has been actively exploited in the wild, marking it as the fifth zero-day vulnerability in Chrome for the year 2026. The other known exploits include CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. While specific details about the attacks leveraging this flaw remain undisclosed, it is likely that attackers combined it with sandbox escape techniques to achieve broader system access.

Detection Opportunities

While no specific detection methods for CVE-2026-11645 have been publicly disclosed, organizations can enhance their monitoring by focusing on unusual browser behavior or unexpected network traffic originating from Chrome. Implementing endpoint detection and response (EDR) solutions that monitor process behaviors and memory anomalies may also help identify potential exploitation attempts.

Defender Guidance

To mitigate the risk posed by CVE-2026-11645, users should immediately update their Google Chrome browsers to version 149.0.7827.103 or later. Organizations should ensure that automatic updates are enabled for all managed devices running Chrome. Additionally, IT teams can benefit from conducting regular vulnerability assessments and penetration testing to identify and remediate potential security gaps in their environments.

What Remains Unclear

While the zero-day has been patched, several aspects remain unclear. The specific methods used by attackers to exploit this vulnerability are not publicly detailed, nor is there information on the extent of its exploitation or the identities of affected users. Further insights into these areas would provide a more comprehensive understanding of the threat landscape and inform future defensive strategies.

Hashtags

#h4rithd #news #HarithDilshan #GoogleChrome #ZeroDayVulnerability #CVE202611645

Sources

  1. https://www.securityweek.com/google-patches-5th-chrome-zero-day-exploited-in-2026/
  2. https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html
  3. https://issues.chromium.org/issues/506689381
  4. https://nvd.nist.gov/vuln/detail/CVE-2026-11645
#Google#Chrome#CVE-2026-11645#ExploitedVulnerabilities#h4rithd#news#HarithDilshan#Google#Chrome#CVE202611645#ExploitedVulnerabilities
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

highExploited Vulnerabilities

Actively Exploited Linux and Android Flaws Prompt Urgent Patching by CISA

Jun 2, 2026 · 4 min readcriticalExploited Vulnerabilities

Unauthenticated File Manipulation Flaw in Splunk Enterprise Exposes Critical Risk

Jun 13, 2026 · 3 min readhighExploited Vulnerabilities

U.S. CISA Mandates Immediate Patching of Exploited Ivanti Sentry Vulnerability

Jun 12, 2026 · 4 min read