Google rushed out an emergency update for its Chrome web browser on June 8, 2026, patching a high‑severity zero‑day vulnerability that attackers are actively exploiting in the wild. Tracked as CVE-2026-11645, the flaw resides in Chrome’s V8 JavaScript engine and allows a remote attacker to perform out‑of‑bounds read or write operations on heap memory. The update, Chrome 149.0.7827.102 for Linux and Mac and 149.0.7827.103 for Windows, is now rolling out to all desktop users, and the Chrome security team has confirmed that exploitation of this bug has been detected.

A Zero‑Day Under Active Attack

The phrase “zero‑day” is overused, but here it fits precisely: attackers found and weaponized this vulnerability before Google could release a patch. Google’s official advisory states that it is “aware of reports that an exploit for CVE-2026-11645 exists in the wild,” which always translates to: update immediately. The bug was reported by an anonymous researcher on June 5, and just three days later the fix was ready—an unusually fast turnaround that underscores the severity.

While Google has not disclosed the specific campaigns using this exploit, typical attack scenarios involve luring a victim to a maliciously crafted web page through phishing emails, malvertising, or compromised legitimate sites. Once visited, the page can abuse the V8 bug to read sensitive data from the browser process or, with a chained sandbox escape, achieve remote code execution on the underlying operating system. Because Chrome runs with user privileges, a successful attack could mean credential theft, session cookie stealing, or installation of malware that persists even after the browser is closed.

Technical Analysis: Out‑of‑Bounds Read/Write in V8

CVE-2026-11645 is rooted in Chrome’s V8 JavaScript and WebAssembly engine—the component that executes all JavaScript code inside the browser. Out‑of‑bounds memory access bugs in this engine are consistently among the most dangerous because they can be triggered simply by visiting a website; no user interaction beyond that is needed.

An out‑of‑bounds read occurs when the JavaScript engine tries to access memory that lies outside the bounds of an allocated buffer. This can leak pointers or other information useful for bypassing Address Space Layout Randomization (ASLR) or other mitigations. The far more dangerous sibling, an out‑of‑bounds write, lets an attacker corrupt adjacent memory objects, potentially hijacking the control flow of the V8 engine. According to the advisory, this particular flaw permits both read and write primitives, giving attackers the flexibility to tailor their exploit chain.

V8 vulnerabilities typically arise from JIT compilers (TurboFan, Maglev, Sparkplug) misoptimizing JavaScript code or from type confusion bugs in the engine’s object model. Although Google has not published the root cause, the classification “high” severity and the speed of the patch suggest the bug allowed a relatively deterministic exploitation route, perhaps bypassing recent V8 hardening measures like the sandbox or pointer compression.

The Patch: What Changed in Chrome 149.0.7827.102/.103

The fix is included in the Stable channel update that bumps Chrome from 149.0.7827.95 to 149.0.7827.102 (Linux, Mac) or 149.0.7827.103 (Windows). The version number difference arises from platform‑specific packaging adjustments and does not indicate a divergent fix. The update addresses CVE-2026-11645 and likely includes the usual slew of fixes from internal audits and fuzzing, but Google is withholding details of the remaining patches until most users have updated—standard practice to prevent reverse engineering of the patch diff from revealing the vulnerability.

Windows users will receive the update via Chrome’s built‑in automatic updater, but enterprise IT administrators should push it forcefully through group policies or endpoint management tools. The update is available as MSI and EXE installers from the Chrome Enterprise download page, and the new Extended Stable channel for Windows also contains the fix.

Why This Matters for Windows Users

While all desktop platforms are affected, Windows environments face unique risks. Many enterprise users run Chrome under a managed profile that may delay automatic updates due to testing requirements. Attackers are aware of this patch gap and often escalate their campaigns during the first 48 hours after a fix is announced. Moreover, Windows remains the most targeted desktop OS for commodity malware, and a browser‑based initial access vector fits neatly into ransomware and data‑exfiltration operations.

There is also the question of Chromium‑based browsers. Microsoft Edge, Brave, Vivaldi, Opera, and countless others embed Chromium and its V8 engine. These browsers will need to issue their own patches, and until they do, users are exposed. Microsoft’s Edge typically follows Chrome updates within hours, but other browsers may lag by days. If you use any Chromium‑based browser on Windows, check its version number carefully: the patched Chromium base version should be 149.0.7827.102 or higher.

Mitigation Measures While Updating

If you cannot update immediately, consider these temporary mitigations:
- Run Chrome with the --js-flags=--jitless flag to disable the JIT compilers, which may break many sites but will neutralize most V8‑based exploits. This is not a long‑term solution but can be used on critical systems.
- Use Site Isolation, which is enabled by default in Chrome on Windows. It ensures each site runs in a separate process, limiting the damage an exploit can do.
- Deploy the Chrome sandbox enforcement (--no-sandbox should never be used) and ensure that Windows Defender Application Guard or third‑party endpoint detection tools are active.
- For organizations, consider blocking access to untrusted websites via web filtering until the update is applied.

However, the only reliable mitigation is patching. Google will almost certainly be shipping this fix for the next few days, and delay only gives attackers more time.

A Broader Pattern: V8 as a Constant Target

This is not the first V8 zero‑day of 2026, and it won’t be the last. CVE-2026-11645 follows a string of high‑profile V8 bugs exploited in 2025, including CVE‑2025‑12791 and CVE‑2025‑14231, both of which were chained with sandbox escapes to deliver spyware. The V8 engine’s complexity—millions of lines of performance‑critical C++ code—makes it an attractive target. Google has invested heavily in sanitizers, fuzzers, and hardware‑enforced security like the V8 sandbox, yet determined attackers keep finding escape hatches.

The short turnaround from report to patch (three days) is commendable, but it also signals that the bug was likely easy to trigger and provided a clear path to exploitation. In response, Google’s Project Zero is expected to publish a deep‑dive analysis in the coming weeks, as it does for all zero‑days discovered in‑the‑wild.

How to Check Your Chrome Version and Update

  1. Open Chrome and click the three‑dot menu → Help → About Google Chrome.
  2. The current version will be displayed. If it’s below 149.0.7827.102 (Linux/Mac) or 149.0.7827.103 (Windows), the update will begin downloading automatically.
  3. Relaunch Chrome to complete the update.

For enterprise deployments, admins can verify via:

chrome://version/

and force the update using the Google Update policy or by redeploying the latest MSI.

The Bottom Line

CVE‑2026‑11645 is a real and actively exploited zero‑day. The patch is here, and every minute you delay updating is a minute of exposure. Windows users, in particular, should not wait—the threat actors behind this campaign are likely counting on lagging enterprise patching. Update Chrome, prod your coworkers to do the same, and keep an eye on other Chromium‑based browsers that may still be vulnerable. Security is only as strong as the slowest updated application on your system.