Google has patched CVE-2026-11645, a high-severity out-of-bounds read and write vulnerability in V8, Chrome’s JavaScript and WebAssembly engine, that is already being exploited in the wild. It is the fifth Chrome zero-day Google has fixed in 2026, and if you treat Chromium as “just the browser,” you are scoping this one too narrowly.

What happened

In a security advisory published June 9, Google confirmed it “is aware that an exploit for CVE-2026-11645 exists in the wild.” The fix shipped in the Stable channel update that also closed 73 other flaws. Per standard practice for actively exploited bugs, Google is withholding technical detail and bug-tracker access until the majority of users have updated.

The flaw was reported on April 27, 2026 by an anonymous researcher who earned a $55,000 bounty. Given active exploitation, it has been added to CISA’s Known Exploited Vulnerabilities catalog — federal agencies are on the clock, and you should treat it the same way.

Technical details

CVE-2026-11645 is an out-of-bounds read and write in V8 (CVSS ~8.8). A crafted HTML page can trigger heap corruption inside the engine, allowing a remote attacker to execute arbitrary code within the browser’s renderer sandbox. On its own that is contained, but OOB read/write primitives are exactly what attackers chain: leak memory to defeat ASLR, then pivot to a second bug for a full sandbox escape. V8 zero-days rarely travel alone, and an in-the-wild OOB write strongly implies a working exploit chain behind it.

Affected versions

You are vulnerable on anything below:

  • Chrome 149.0.7827.102/.103 — Windows and macOS
  • Chrome 149.0.7827.102 — Linux

Because the bug is in V8, every Chromium-based product is in scope: Microsoft Edge, Brave, Opera, Vivaldi, and — critically for infrastructure teams — anything that embeds Chromium.

Why infrastructure engineers should care

The “patch your browser” framing misses where this actually hurts in production:

  • Headless Chrome/Chromium in CI/CD. Puppeteer, Playwright, Selenium, and screenshot/PDF-generation services routinely render untrusted HTML on build agents and backend workers. A malicious page rendered by a headless instance is the same attack surface — minus a human deciding whether to click.
  • Electron apps on endpoints and servers. Slack, VS Code, Discord, Teams, and countless internal tools bundle their own Chromium. They do not update when you bump system Chrome; each ships and patches V8 on its own cadence.
  • Server-side rendering and link unfurlers. Anything that fetches and renders attacker-influenced URLs (chat unfurl previews, scraping pipelines, automated report generators) processes hostile input by design.

Inventory is the hard part here. Most orgs can answer “is Chrome updated?” but cannot quickly answer “which services embed Chromium, and what version of V8 do they ship?”

Mitigation — do this now

  1. Force-update Chrome/Edge to 149.0.7827.102 or later. Verify via chrome://settings/help and confirm your enterprise update policy isn’t pinning an old build. Relaunch — the patch only applies after restart.
  2. Audit embedded Chromium. Enumerate Electron apps and headless-browser dependencies, then update to releases built on patched Chromium. Don’t assume vendor apps have rebased yet.
  3. Patch CI/CD render workers. Rebuild images that pin puppeteer, playwright, or a Chromium binary; verify the bundled revision postdates the fix.
  4. Constrain headless rendering. Run it sandboxed/containerized with least privilege and egress controls so a renderer compromise doesn’t become lateral movement.
  5. Hunt. Review proxy and EDR telemetry for renderer crashes, anomalous child processes spawned by browser/Electron processes, and unexpected outbound connections from CI agents.

References

  • Google Chrome Releases — Stable Channel update (June 2026)
  • NVD: CVE-2026-11645
  • CISA Known Exploited Vulnerabilities Catalog

V8 memory-corruption zero-days are a recurring pattern in 2026 — this is the fifth. The durable fix isn’t faster browser updates; it’s knowing every place Chromium runs in your estate and patching all of them on the same clock.