Google Chrome Patches Fifth Zero-Day of 2026
Key insights
- CVE-2026-11645, a V8 out-of-bounds read and write flaw, marks Chrome's fifth actively exploited zero-day patched in 2026.
- Fixed versions are Chrome 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac, released June 9, 2026.
- An anonymous researcher reported the vulnerability; Google issued the patch approximately two weeks after the report.
Why this matters
Chrome's V8 engine has been hit by five exploited zero-days in 2026, a rate that points to organized offensive research rather than opportunistic discovery. For enterprise security teams, the two-week gap between an anonymous report and a patch on a confirmed in-the-wild exploit means attackers had a material operational window before defenders had a fix. V8's sustained appearance as an exploitation target makes JavaScript engine hardening, not just patching speed, a competitive differentiator for browser vendors and a budget priority for large Chrome fleet operators.
Summary
Chrome's fifth zero-day of 2026 is now patched. Google confirmed active exploitation of CVE-2026-11645, a high-severity out-of-bounds read and write flaw in the V8 JavaScript engine, exploitable via crafted HTML pages to achieve code execution inside the browser sandbox. Heap corruption enables bypassing ASLR, and when chained with other vulnerabilities it opens a broader code execution path.
An anonymous security researcher reported the bug. Google shipped the fix on June 9, 2026, roughly two weeks after the report.
Essentially: (Google, Chrome users on all platforms) five actively exploited zero-days confirmed in under six months, each requiring urgent updates.
- Fixed in Chrome 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac
- The four prior 2026 zero-days hit CSSFontFeatureValuesMap, Skia, V8, and Dawn via CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281
- The reporting researcher was anonymous, leaving the exploitation campaign publicly unattributed
Five exploited zero-days in six months in V8 alone signals sustained, targeted offensive research against the world's most widely deployed browser runtime.
Potential risks and opportunities
Risks
- Enterprise Chrome fleets with auto-update disabled or centrally delayed remain exposed during the gap between the June 9 patch release and fleet-wide update completion
- Five V8 zero-days in six months suggests an active exploit development program likely holding additional unpatched vulnerabilities, raising ongoing risk even after this fix ships
- The anonymous reporter and unattributed exploitation leave open whether other parties possessed the exploit before the fix shipped, with no public disclosure of scope or targeted sectors
Opportunities
- Browser security vendors and EDR providers can market V8-specific exploit detection rules to enterprise Chrome customers facing a documented five-exploit-in-six-months track record
- Enterprise browser vendors such as Island and Talon Cyber Security gain a concrete 2026 data point to accelerate sales cycles with security-conscious buyers evaluating managed browser alternatives
- Bug bounty triage and coordinated disclosure firms gain negotiating leverage as Google faces public pressure to shorten patch timelines on confirmed in-the-wild zero-days
What we don't know yet
- Attribution behind CVE-2026-11645 exploitation: no threat actor, campaign, or victim sector was named in public reporting
- Whether the anonymous researcher received a bug bounty payout under Google's Vulnerability Reward Program, and the size of any reward
- Whether Google operates a shorter patch SLA for confirmed in-the-wild flaws versus privately reported bugs, and how the two-week timeline compares to that standard
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Google Patches Fifth Chrome Zero-Day of 2026 — CVE-2026-11645 V8 Engine Heap Corruption Actively Exploited in the Wild