Google has urgently updated Chrome to fix a critical zero-day vulnerability in the V8 JavaScript engine, identified as CVE-2026-11645. This high-severity flaw allows out-of-bounds read and write operations, posing risks such as exposing sensitive data or enabling remote code execution within the browser’s sandbox. The issue can be triggered by a specially crafted HTML page, and an exploit is already active in the wild. The updates are available as version 149.0.7827.102.103 for Windows and Mac, and 149.0.7827.102 for Linux.
This vulnerability is the fifth zero-day affecting Chrome in 2026. Google is withholding detailed information about the flaw while updates are being deployed. It was reported in April 2026 by an anonymous researcher, who received a $55,000 reward. The flaw primarily threatens users who haven’t updated to the patched version 149. Successful exploitation could lead to heap corruption and unauthorized memory access, potentially bypassing security measures like ASLR.
Currently, there is no public proof of concept available, and Google has not disclosed technical details or information about the attacks. It is suspected that the zero-day might have been used alongside a sandbox escape vulnerability. Users are advised to update their Chrome browsers immediately, as the rollout of the fix could take time to reach all users. Detecting exposure to this vulnerability is challenging due to the lack of detailed information, but organizations should ensure all Chrome installations are updated to the latest version.
