Google patches actively exploited Chrome zero-day CVE-2026-11645

Google released Chrome updates that address CVE-2026-11645, a high-severity out-of-bounds memory flaw in V8, Chrome’s JavaScript and WebAssembly engine. The fix is included in a broader update that resolves 74 security issues. Windows and macOS users should move to Chrome 149.0.7827.102 or 149.0.7827.103; Linux users should update to 149.0.7827.102. To update, open More > Help > About Google Chrome and select Relaunch if an update is available.

The vulnerability is tracked as CVE-2026-11645 and carries a CVSS score of 8.8. The U.S. National Vulnerability Database describes an out-of-bounds read and write in V8 in Chrome versions prior to 149.0.7827.103 that allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google credited a researcher identified as ‘303f06e3’ with reporting the bug on April 27, 2026, and awarded a $55,000 bug bounty for the disclosure.

Google confirmed an exploit for CVE-2026-11645 exists in the wild and withheld technical details to allow a majority of users time to install the update and to limit further exploitation. The company noted this update closes the fifth actively exploited Chrome zero-day addressed this year, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910 and CVE-2026-5281.

Vendors of other Chromium-based browsers, including Microsoft Edge, Brave, Opera and Vivaldi, are expected to release comparable fixes; users of those browsers should apply vendor updates when they become available.