Full Report
Google has released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year. [...]
Analysis Summary
# Vulnerability: Chrome V8 Out-of-Bounds Read and Write
## CVE Details
- **CVE ID:** CVE-2026-11645
- **CVSS Score:** Not yet finalized (Assessed as **High** Severity by Vendor)
- **CWE:** CWE-125 (Out-of-bounds Read) / CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:** Google Chrome / Chromium-based browsers
- **Versions:** Versions prior to 149.0.7827.102 (Windows/Linux) and 149.0.7827.103 (Mac)
- **Configurations:** Systems running V8 JavaScript engine (standard configuration for Chrome)
## Vulnerability Description
CVE-2026-11645 is a high-severity flaw residing in the Chrome V8 JavaScript engine. The vulnerability stems from an out-of-bounds (OOB) memory access issue. Specifically, it allows for both reading and writing beyond the allocated memory buffer via heap corruption.
Technically, an attacker can leverage this flaw to access sensitive data in memory and bypass security mitigations such as Address Space Layout Randomization (ASLR). While the flaw exists within the browser's sandbox, it provides a critical primitive for attackers to facilitate arbitrary code execution or crash the application.
## Exploitation
- **Status:** **Exploited in the wild.** Google has confirmed that functional exploits exist and are being used by threat actors.
- **Complexity:** Medium (Requires crafted HTML content)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential memory disclosure and ASLR bypass)
- **Integrity:** High (Arbitrary memory write capabilities)
- **Availability:** High (Can lead to application crashes/Denial of Service)
## Remediation
### Patches
Google has released the following stable channel updates:
- **Windows:** 149.0.7827.102
- **Linux:** 149.0.7827.102
- **macOS:** 149.0.7827.103
### Workarounds
No specific non-patch workarounds have been identified. Users are advised to avoid visiting untrusted websites until the browser is updated.
## Detection
- **Indicators of Compromise:** Currently restricted by the vendor to prevent further exploitation.
- **Detection Methods:**
- Monitor for unusual Chrome crashes, specifically those involving `v8.dll` or heap corruption errors.
- Deployment of EDR/AV solutions to detect secondary payloads following a sandbox escape attempt.
- Check browser versioning via enterprise management tools (GPO/InTune) to ensure compliance with the patched versions listed above.
## References
- **Vendor Advisory:** hxxps[://]chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html
- **NVD Entry:** hxxps[://]nvd.nist.gov/vuln/detail/CVE-2026-11645
- **BleepingComputer Report:** hxxps[://]www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-the-wild/