Google Fixes Fifth Zero-Day in Chrome: Arbitrary Code Execution via JavaScript Engine Flaw

Summary

Google has swiftly addressed a critical zero-day vulnerability in its Chrome browser, marking the fifth such flaw patched since the start of 2026. The vulnerability, identified as CVE-2026-11645, was actively exploited by attackers using crafted HTML pages to execute arbitrary code within Chrome's sandbox environment. This exploit leveraged an out-of-bounds read and write weakness in the V8 JavaScript engine, posing a significant risk to users' data security. Google has released emergency updates for Windows, Mac, and Linux systems, with patched versions rolling out globally.

What Happened

The zero-day vulnerability CVE-2026-11645 was discovered in the V8 JavaScript engine used by Chrome. This flaw allowed remote attackers to execute arbitrary code within the browser's sandbox environment by exploiting an out-of-bounds read and write weakness. The attack vector involved crafted HTML pages designed to trigger this vulnerability, enabling unauthorized access to sensitive data or causing system crashes.

Google acknowledged the existence of exploits for CVE-2026-11645 in the wild and acted promptly to mitigate the threat. The company released emergency updates for Chrome users across different platforms, including Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102). These updates were made available immediately following the discovery of the vulnerability.

Technical Details

The technical underpinnings of CVE-2026-11645 involve an out-of-bounds read and write weakness in Chrome's V8 JavaScript engine. This flaw allowed attackers to bypass protection mechanisms such as Address Space Layout Randomization (ASLR), facilitating code execution via another vulnerability. The exploit required the attacker to craft a malicious HTML page, which, when loaded by an unsuspecting user, could execute arbitrary code within the browser's sandbox.

The severity of this zero-day lies in its potential to access data beyond the memory buffer through heap corruption. Successful exploitation could lead to unauthorized access to sensitive information or trigger system crashes. The vulnerability also posed a risk of bypassing Chrome's built-in security mechanisms, making it easier for attackers to achieve their malicious objectives.

Affected Products and Fixed Versions

The zero-day vulnerability CVE-2026-11645 affected the following versions of Google Chrome:

• Windows: 149.0.7827.102
• Mac: 149.0.7827.103
• Linux: 149.0.7827.102

Google has released patched versions for these platforms to address the vulnerability. Users are strongly encouraged to update their browsers immediately or rely on Chrome's automatic update feature to ensure protection against this exploit.

Exploitation Status

Google confirmed that exploits for CVE-2026-11645 were actively used in attacks. The company has not disclosed detailed information about these incidents but emphasized the importance of updating to the latest versions to mitigate the risk. Google also noted that access to bug details and links might be restricted until a majority of users are updated with the fix, especially if the vulnerability exists in third-party libraries.

Indicators of Compromise

Indicators of compromise (IOCs) for CVE-2026-11645 include:

• Out-of-bounds read and write activities within the V8 JavaScript engine.
• Execution of arbitrary code within Chrome's sandbox environment via crafted HTML pages.
• Potential bypassing of ASLR protection mechanisms.

Detection Opportunities

Security teams can detect potential exploitation attempts by monitoring for unusual out-of-bounds read and write activities within the V8 JavaScript engine. Additionally, network traffic analysis for crafted HTML pages designed to exploit this vulnerability can provide early warning signs of an attack.

Timeline

• Discovery: An anonymous security researcher reported the vulnerability to Google.
• Response: Google acknowledged the existence of exploits in the wild and released emergency updates for Chrome users across different platforms.
• Patch Release: Patched versions were made available immediately, with ongoing rollout globally.

Why This Matters for Defenders

The exploitation of CVE-2026-11645 underscores the critical importance of timely software updates to protect against zero-day vulnerabilities. Security teams must prioritize patch management and ensure that all systems are updated promptly to mitigate the risk of similar exploits. Additionally, monitoring for indicators of compromise can help detect potential attacks early, allowing defenders to respond swiftly.

What Remains Unclear

While Google has confirmed the exploitation of CVE-2026-11645, specific details about the incidents remain undisclosed. The company has not shared information on the nature or scope of the attacks, leaving some uncertainty about the full impact of this vulnerability.

Defender Guidance

To protect against CVE-2026-11645 and similar vulnerabilities:

1. Update Immediately: Ensure that all Chrome browsers are updated to the latest versions (Windows: 149.0.7827.102, Mac: 149.0.7827.103, Linux: 149.0.7827.102).
2. Enable Automatic Updates: Configure Chrome to automatically check for and install updates during each launch.
3. Monitor Network Traffic: Analyze network traffic for signs of crafted HTML pages designed to exploit this vulnerability.
4. Stay Informed: Follow security advisories from Google and other trusted sources to stay updated on emerging threats.

By taking these proactive steps, defenders can significantly reduce the risk of exploitation and enhance their overall cybersecurity posture.