On 8 June 2026 Google shipped a Chrome update that closes CVE-2026-11645, a V8 flaw that was already being exploited when the patch landed. It’s the fifth Chrome zero-day fixed so far this year, so update now rather than later.
What the vulnerability is
The bug lives in V8, the JavaScript and WebAssembly engine inside Chrome. It’s an out-of-bounds read and write, classified as CWE-125 and CWE-787. A crafted web page can read from and write to memory regions it has no business touching, and from there run arbitrary code inside the browser sandbox.
Running inside the sandbox limits the immediate blast radius, but it doesn’t make the flaw harmless. Bugs like this are usually chained with a second sandbox-escape vulnerability to reach the host operating system. On its own it already lets an attacker manipulate what happens in the affected tab and serve as the first rung of an attack chain.
Who’s affected and how bad it is
Any Chrome build before 149.0.7827.103 is vulnerable. Because Chromium is the base for Edge, Brave, Opera, Vivaldi and other browsers, those products need the equivalent vendor update once they pick up the fix.
The score is CVSS 3.1 8.8 (High), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H: network-exploitable, low complexity, no prior privileges, and the victim only has to open a page. Google confirmed an exploit exists in the wild, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on 9 June 2026 with a patch deadline of 23 June for US federal agencies. Once a browser zero-day is in active use, the gap between the patch and mass exploitation closes fast.
Mitigation and patch
The only real fix is updating to Chrome 149.0.7827.103 or newer. Most installs update on their own, but force it: go to Menu > Help > About Google Chrome, let it download the new build, and restart the browser. The patch doesn’t fully apply without that restart, and it’s exactly the step most people skip.
If you manage machines across an organisation, confirm the version on your fleet is past 149.0.7827.103 and check Chromium-based browsers separately, since their update timing depends on each vendor. There’s no configuration mitigation that replaces the patch: selectively disabling JavaScript or tweaking security settings won’t cover the hole.