Google has released an emergency Chrome security update to fix a high severity zero day vulnerability that was actively exploited by attackers in the wild.
Quick Summary – TLDR:
- Google patched 74 security flaws in Chrome, including the actively exploited CVE-2026-11645 vulnerability.
- The flaw affects Chrome’s V8 JavaScript engine and could allow attackers to execute code through malicious web pages.
- Google confirmed that the vulnerability was exploited in real world attacks but has not shared technical details.
- This is the fifth Chrome zero day vulnerability patched by Google in 2026.
What Happened?
Google has rolled out emergency updates for Chrome after discovering that a newly disclosed zero day vulnerability, tracked as CVE-2026-11645, was being exploited in the wild. The flaw impacts Chrome’s V8 JavaScript engine and could allow attackers to execute arbitrary code inside the browser’s sandbox through specially crafted HTML pages.
The company confirmed the existence of active exploitation in a security advisory and urged users to update their browsers as the fix becomes available across supported platforms.
🚨 WARNING: Google just fixed a Chrome zero-day already used in real attacks.
— The Hacker News (@TheHackersNews) June 9, 2026
The bug (CVE-2026-11645) hits V8, Chrome’s JavaScript engine, and can let attackers run code through a crafted HTML page.
Update your browser now.
Read the full story: https://t.co/nt5rUrsDwx
Google Addresses Another Active Chrome Threat
The newly patched vulnerability is classified as an out of bounds read and write flaw in the V8 JavaScript engine, one of Chrome’s most critical components responsible for processing web content.
According to Google, attackers could exploit the bug using a crafted HTML page. Successful exploitation may enable unauthorized access to memory outside designated boundaries, potentially exposing sensitive information or causing browser crashes.
Security experts generally warn that out of bounds memory vulnerabilities can create opportunities for more serious attacks, including privilege escalation, remote code execution, and the bypassing of security protections such as Address Space Layout Randomization, commonly known as ASLR.
Google stated:
“Google is aware that an exploit for CVE-2026-11645 exists in the wild.”
As is common with actively exploited vulnerabilities, Google has limited public disclosure of technical details while users continue to receive the security update.
The company explained:
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix.“
Updates Rolling Out Across Platforms
The fix is being distributed through the Stable Desktop channel and is available for:
- Windows: Chrome 149.0.7827.102
- Mac: Chrome 149.0.7827.103
- Linux: Chrome 149.0.7827.102
Google noted that the rollout could take days or even weeks to reach all users worldwide. However, users can manually check for updates immediately through Chrome’s settings menu instead of waiting for the automatic rollout.
Those who prefer not to update manually can rely on Chrome’s built-in update mechanism, which automatically installs available updates when the browser is restarted.
Anonymous Researcher Earns Bug Bounty
The vulnerability was reported to Google on April 27, 2026 by an anonymous security researcher. As part of Google’s bug bounty program, the researcher received a $55,000 reward for responsibly disclosing the flaw.
The company has not provided additional details about the researcher or the attacks exploiting the vulnerability.
Fifth Chrome Zero Day Fixed This Year
CVE-2026-11645 marks the fifth Chrome zero day vulnerability patched by Google in 2026.
The previous four actively exploited Chrome zero days addressed this year include:
- CVE-2026-2441 involving a use after free issue in CSS.
- CVE-2026-3909 involving an out of bounds write flaw in the Skia graphics library.
- CVE-2026-3910 involving a vulnerability in the V8 JavaScript and WebAssembly engine.
- CVE-2026-5281 involving a use after free flaw in Dawn, Chromium’s WebGPU implementation.
Google also fixed eight Chrome zero days during 2025, highlighting the continued focus of attackers on browser based vulnerabilities.
SQ Magazine Takeaway
I think this update deserves immediate attention because Chrome remains the most widely used web browser in the world, making it a valuable target for attackers. The fact that this vulnerability was already being exploited before a patch became widely available increases the urgency for users and organizations to update as soon as possible. Even though Google has not revealed the details of the attacks, history shows that actively exploited browser flaws can quickly become a major security risk when users delay installing updates.
