Google patches Chrome V8 exploit, 73 other flaws

Google released Chrome 149.0.7827.102/.103 to fix 74 security vulnerabilities, including an actively exploited out‑of‑bounds read/write flaw in the V8 JavaScript engine tracked as CVE‑2026‑11645. The stable channel updates are available now for Windows and macOS as 149.0.7827.102/.103 and for Linux as 149.0.7827.102, with a staged rollout over the coming weeks.

Google’s security bulletin describes CVE‑2026‑11645 as an out‑of‑bounds read and write in V8 that can be triggered by specially crafted HTML. The flaw can allow a remote attacker to place data in memory and cause the browser to execute that code inside the browser’s sandbox. Google notes exploit activity has been observed in the wild and that the issue affects Chrome versions prior to 149.0.7827.103.

V8 is the component that runs JavaScript in Chrome and other Chromium‑based browsers, so a flaw in V8 can affect multiple browsers that share the engine. Google characterizes the impact as arbitrary code execution inside the sandbox, meaning any code run by a successful exploit is confined to the browser environment rather than executing directly on the host operating system.

The update fixes a total of 74 vulnerabilities with varying severity levels. The release also adds a user feature to sign PDF forms without installing a browser extension. The changes are included in the stable channel builds that are rolling out now for Windows, macOS and Linux users.

Users who want the patch immediately can update Chrome manually. Open the browser menu, go to Settings then About Chrome; the browser will check for updates, download available fixes and require a restart to complete installation. Automatic updates will apply the patch for most users, but devices that run continuously or have extensions that block updates may not receive the fix until restarted.

System administrators and security teams should prioritize the update because Google observed exploitation in the wild. Operators managing device fleets should ensure update policies permit the new stable build, test the deployment as needed and schedule restarts so automatic updates can finish. Regularly restarting browsers and systems helps ensure updates are applied and protections take effect.

Chrome and V8 have been frequent sources of security updates. Applying this release reduces exposure to the known active exploit and the risk that attackers could chain this flaw with others to escape the browser sandbox.