Google has released an emergency update for Chrome addressing CVE-2026-11645, a high-severity out-of-bounds write in the V8 JavaScript engine that was being exploited in the wild before the patch was available. This is the third Chrome zero-day confirmed exploited in 2026 and the first since April’s CVE-2026-3854 (which targeted the same V8 engine subsystem).
CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalogue on 9 June, setting a 30 June remediation deadline for federal agencies and providing strong guidance for the broader enterprise community.
Vulnerability Details
CVE-2026-11645 is an out-of-bounds write in V8, Chrome’s JavaScript and WebAssembly engine. Out-of-bounds writes in JavaScript engines allow an attacker to corrupt adjacent memory structures — in practice, this enables arbitrary code execution within the renderer process (the sandboxed process that handles web content). Combined with a sandbox escape, this achieves full code execution on the user’s machine.
The vulnerability is triggered by visiting a specially crafted web page. No additional user interaction is required beyond opening the page. Drive-by download attacks — where a victim visits a compromised or malicious website and malware is silently installed — are the primary exploitation vector.
Google has not disclosed the full technical details of the exploitation at the time of patching, a standard practice to give time for the update to propagate. The disclosure confirms active exploitation, meaning threat actors had working exploit code before 9 June.
Affected: Chrome versions prior to 149.0.7762.95 on Windows, macOS, and Linux. Chrome-based browsers (Microsoft Edge, Brave, Opera, Samsung Internet) are also affected and will receive their own updates based on the Chromium patch.
Patched: Chrome 149.0.7762.95 and later.
Checking and Updating Chrome
Users can verify their Chrome version by navigating to chrome://settings/help. If an update is available, Chrome will download it automatically from this page.
Enterprise deployment (Chrome Browser Cloud Management or Group Policy):
- Force update via
GoogleUpdateEnabledpolicy and push the minimum version policy to149.0.7762.95 - Chrome Browser Cloud Management allows immediate fleet-wide version enforcement from the Admin Console
Microsoft Edge (also V8-based): Microsoft released Edge 149.0.2903.87 on the same day, patching the same underlying Chromium flaw. Enterprise teams managing Edge via Microsoft Intune or Group Policy should deploy the Edge update with the same urgency.
Exploitation Context
This is the ninth Chrome/Chromium V8 vulnerability exploited in the wild since 2024. V8 is one of the most complex and most targeted codebases in the browser attack surface. The combination of:
- Ubiquitous deployment (Chrome holds approximately 65% of desktop browser market share)
- JavaScript engine complexity making zero-days statistically inevitable
- High value of renderer compromise as a stepping stone to endpoint compromise
…makes Chrome V8 zero-days a persistent enterprise security concern that cannot be addressed through policy alone — only through maintaining current browser versions across the enterprise fleet.
Enterprise Implications
For enterprise security teams:
Browser version currency: CVE-2026-11645 underscores why managed Chrome deployments must enforce auto-update policies. Chrome’s background update mechanism is effective for consumer devices; enterprise environments that restrict update server access or require manual approval for version changes face elevated risk from zero-day windows.
Browser isolation: Organisations deploying commercial browser isolation solutions (cloud-rendered browsing) are not affected by CVE-2026-11645 through the browser isolation path — the rendering occurs remotely. This is the primary security advantage of browser isolation for high-risk user groups.
Endpoint telemetry: Post-exploitation of a Chrome zero-day typically involves process injection from the renderer or child processes. EDR telemetry watching for unusual process spawning from chrome.exe child processes or unexpected network connections from renderer processes provides detection coverage for the post-exploitation phase.
Share this article