Google has released a security update for Chrome that fixes 74 vulnerabilities, including the critically dangerous CVE-2026-11645 (CVSS 8.8) in the V8 JavaScript engine, which is already being exploited by attackers. The vulnerability allows a remote attacker to execute arbitrary code inside the browser sandbox via a specially crafted HTML page. All users of Chrome and Chromium-based browsers must immediately update to version 149.0.7827.102/.103.
Technical analysis of CVE-2026-11645
According to the description in the NVD database, the vulnerability is an out-of-bounds read and write issue in V8 — the JavaScript and WebAssembly engine used in Google Chrome. The defect affects all Chrome versions prior to 149.0.7827.103.
The attack vector is network-based: to exploit it, it is enough to trick the victim into opening a malicious HTML page. This can be done via a phishing link, malicious advertising, or compromise of a legitimate web resource. Out-of-bounds read/write bugs in V8 are particularly dangerous because the engine processes JavaScript code on every page visited, and the ability to both read from and write beyond the bounds of an allocated buffer opens the way to full arbitrary code execution.
It is important to note that although NVD states that code execution occurs “inside a sandbox,” this does not mean it is completely safe. The Chrome sandbox is a serious barrier; however, when combined with an additional sandbox escape vulnerability, an attacker can gain full control of the system. As indicated in the official security bulletin, Google has confirmed the existence of an exploit in the wild but has refrained from publishing details until users have widely deployed the update.
The vulnerability was discovered by a researcher using the pseudonym “303f06e3” and, according to Google, was reported on April 27, 2026. For responsible disclosure, the researcher reportedly received a reward of $55,000 — an amount that reflects the criticality of the finding and the fact of active exploitation.
Fifth Chrome zero-day in 2026
CVE-2026-11645 has become the fifth Chrome zero-day vulnerability that Google has remediated since the beginning of 2026. Previously, the following were fixed:
This pace — five exploited zero-days in the first half of the year — points to attackers’ sustained interest in browser vulnerabilities as an initial access vector. The V8 engine remains a priority target: its complex JIT compilation architecture creates an extensive attack surface, and Chrome’s ubiquity makes each such vulnerability potentially far-reaching.
Impact assessment
The scale of the threat is determined by Chrome’s dominant share of the browser market. At risk are not only Chrome users, but also everyone working with Chromium-based browsers: Microsoft Edge, Brave, Opera, Vivaldi, and others. For these browsers, the corresponding patches may be released with a delay, which creates a window of vulnerability.
The highest risk is to corporate environments, where browser updates may be delayed due to configuration management policies, as well as to users who have not enabled automatic updates. Given that exploitation only requires following a link, the vulnerability is ideally suited for targeted phishing attacks against organization employees.
Mitigation recommendations
The update should be applied immediately — exploitation has already been confirmed. Target versions:
- Windows and macOS: Chrome 149.0.7827.102 or 149.0.7827.103
- Linux: Chrome 149.0.7827.102
To check for and install the update: open the Chrome menu → Help → About Google Chrome. The browser will automatically download the update, after which a restart will be required. In corporate environments, it is recommended to forcibly roll out the update via configuration management systems and temporarily restrict access to external web resources for systems where the update cannot be applied promptly.
Users of Chromium-based browsers should monitor the release of updates from the respective vendors and apply them immediately after they become available.
Given the confirmed active exploitation of CVE-2026-11645 and the trivial attack vector via a malicious web page, updating Chrome to version 149.0.7827.102/.103 should be completed within hours, not days. For organizations managing fleets of workstations, the priority of this patch is maximal: verify update coverage via your management console and ensure that no system remains on a vulnerable version.
