Google Patches Fifth Chrome Zero-Day of 2026 — V8 Exploit Was Already Active in the Wild

Google pushed an emergency update to Chrome on June 8th to patch a high-severity zero-day vulnerability that was already being exploited in the wild. The flaw, tracked as CVE-2026-11645, is an out-of-bounds read and write in Chrome's V8 JavaScript and WebAssembly engine — the same component that has been a recurring target for attackers this year. Users on Windows, macOS, and Linux need to update to Chrome 149.0.7827.102 (or .103 on Windows) immediately.

This is the fifth Chrome zero-day Google has had to patch since January 2026, continuing a pace of active in-the-wild exploitation that has defined the browser security landscape this year. That count makes CVE-2026-11645 notable not just as an individual vulnerability, but as part of a sustained pattern of attackers finding and weaponising Chrome flaws before Google can patch them.

What the Vulnerability Does

CVE-2026-11645 is classified as an out-of-bounds memory access in V8. The practical consequence: a remote attacker can execute arbitrary code within Chrome's renderer sandbox by luring a user to a specially crafted HTML page. No interaction beyond visiting the page is required — no file downloads, no permissions prompts. The attack surface is as broad as the web itself.

Beyond remote code execution, successful exploitation could expose sensitive information from browser memory, cause crashes, or help bypass Address Space Layout Randomization (ASLR). ASLR bypass is particularly dangerous as a component in exploit chains: on its own it doesn't give an attacker control, but combined with a second vulnerability it can enable full system compromise beyond the browser sandbox.

The vulnerability was privately reported by an anonymous researcher identified only by a hash ("303f06e3") on April 27, 2026 — about six weeks before the public disclosure and patch. Google has withheld detailed technical information about the bug while patch adoption spreads, per its standard disclosure policy for actively exploited zero-days. A $55,000 bug bounty was paid for the report.

The 2026 Chrome Zero-Day Pattern

To put CVE-2026-11645 in context, the four prior Chrome zero-days patched in 2026 are:

• CVE-2026-2441 — Iterator invalidation in CSSFontFeatureValuesMap (January 2026)
• CVE-2026-3909 — Out-of-bounds write in Skia (March 2026)
• CVE-2026-3910 — Inappropriate implementation in V8 (March 2026, same month as Skia patch)
• CVE-2026-5281 — Use-after-free in Dawn/WebGPU (April 2026)

The concentration in V8 (three of five this year) and the recurring use-after-free and out-of-bounds class of bugs suggests attackers have deep knowledge of the V8 codebase and are systematically finding exploitable conditions in its memory management. V8 is one of the most complex and performance-critical components in any browser — it has to parse and JIT-compile untrusted web code at high speed, which creates an inherently difficult memory safety environment.

Google has invested significantly in V8 hardening — V8 Sandbox, pointer compression, and various mitigations — but these defences operate on a different timeline from attackers who are actively researching new bypass techniques. The five zero-days in six months is not a sign that Chrome is unusually insecure relative to alternatives; it reflects that Chrome is the highest-value target and therefore attracts the most serious research effort from both security researchers and threat actors.

Who Is Exploiting This

Google's disclosure notes active exploitation but, as is typical, has not attributed the attacks to specific threat actors or described the targeting. Based on patterns from prior V8 zero-days this year, exploitation has ranged from nation-state operators targeting journalists, activists, and government employees (primarily using zero-days as a delivery mechanism for surveillance software) to financially motivated actors using drive-by exploitation chains for credential theft and initial access brokering.

The six-week gap between private disclosure (April 27) and patch (June 8) is longer than usual for a Chrome zero-day reported under active exploitation. Google's standard turnaround for critical bugs is faster, suggesting either that fixing the V8 memory access issue without introducing regressions was non-trivial, or that the exploitation activity was first detected closer to the patch date than the initial report date.

What to Do

Update Chrome now. Open chrome://settings/help or click the three-dot menu → Help → About Google Chrome. If an update is available, apply it and relaunch. The patched version numbers are:

• Windows: 149.0.7827.102 or 149.0.7827.103
• macOS: 149.0.7827.102
• Linux: 149.0.7827.102

Enterprise administrators deploying Chrome via managed policy should push the update to all endpoints. For organizations running Chromium-based browsers (Edge, Brave, Arc, Opera), check for updates from those vendors — each will patch V8 from upstream at their own cadence, but most have issued or will shortly issue updates incorporating the same fix.

As reported by BleepingComputer and The Hacker News, Google continues to restrict detailed bug information pending broad patch adoption. Full technical disclosure of CVE-2026-11645 will likely follow in the coming weeks once the majority of the Chrome user base has updated.