Google just shipped emergency fixes for yet another Chrome zero-day that’s been actively exploited in the wild. This one — CVE-2026-11645 — is the fifth such vulnerability Google has patched since January, and it’s a nasty one: an out-of-bounds read and write bug in Chrome’s V8 JavaScript engine that lets attackers execute arbitrary code inside the browser sandbox.
What’s the actual risk?
The vulnerability lives in V8, the engine that powers JavaScript execution in Chrome. By crafting a malicious HTML page, a remote attacker can trigger heap corruption — reading and writing memory beyond the intended buffer. That alone is bad enough, but there’s a worse angle: successful exploitation can also bypass ASLR (Address Space Layout Randomization), one of the OS-level defenses that makes it harder to chain exploits together. Break ASLR, and suddenly a second vulnerability becomes far more weaponizable.
Google says it’s aware of exploits circulating in the wild but hasn’t shared details about who’s being targeted or by whom. That’s standard practice — the company typically restricts bug details until most users have updated. But the clock is ticking: the fix is out, and the exploit is known.
Five zero-days in six months
The pace is striking. Here’s the 2026 Chrome zero-day tally so far:
CVE-2026-2441 — An iterator invalidation bug in CSS font feature values, patched in February.
CVE-2026-3909 — Out-of-bounds write in the Skia 2D graphics library, patched in March.
CVE-2026-3910 — Improper implementation in V8, also March.
CVE-2026-5281 — Use-after-free in Dawn (Chrome’s WebGPU implementation), patched in April.
CVE-2026-11645 — The current V8 out-of-bounds read/write, patched now.
Last year Google fixed eight zero-days, many linked to spyware operations tracked by the company’s Threat Analysis Group. The trend line isn’t encouraging: attackers are finding Chrome bugs faster than Google can close the gaps.
What you should do
Chrome should auto-update on its next launch, but don’t wait. Go to chrome://settings/help right now and trigger the update manually. The patched versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac. If you’re managing enterprise deployments, push this update today — not tomorrow.
Also worth noting: this bug was reported by an anonymous researcher. We still don’t know who’s behind the in-the-wild exploitation. That uncertainty is itself a signal — sophisticated actors don’t burn zero-days casually.
The bigger picture
Five zero-days in the first half of 2026 puts Chrome on pace to exceed last year’s total. V8 remains the most targeted component, which makes sense — it’s the part of the browser that processes untrusted JavaScript from every website you visit. It’s the front door.
Google has invested heavily in sandbox hardening and memory safety initiatives, but attackers keep finding cracks. If you’re a high-value target — journalist, activist, government employee, security researcher — this is the kind of bug that gets used in targeted attacks. Update now, and assume the exploit is already in someone’s toolkit.
