Chrome V8 RCE actively exploited (CVE-2026-11645)

Actively exploited in the wild - CVE-2026-11645 is a high-severity out-of-bounds read and write vulnerability in Google Chrome’s V8 JavaScript engine (versions prior to 149.0.7827.103) that lets remote attackers execute arbitrary code within the browser sandbox. Patched in Chrome 149.0.7827.103 - update your browser immediately.

Overview

CVE-2026-11645 is an out-of-bounds (OOB) memory vulnerability in Google Chrome’s V8 JavaScript engine, affecting all Chrome versions prior to 149.0.7827.103. An attacker can exploit this flaw by luring a victim to visit a specially crafted HTML page, which triggers a memory corruption condition in V8. This allows the attacker to read and write beyond allocated memory buffers, ultimately achieving arbitrary code execution inside the browser’s sandbox.

The vulnerability carries a CVSS v3.1 base score of 8.8 (High) due to its network attack vector, low attack complexity, no required privileges, and its ability to bypass the Chrome sandbox. While exploitation does require user interaction (clicking a link or visiting a malicious page), this is a low bar for attackers.

Impact

An attacker successfully exploiting CVE-2026-11645 can:

• Execute arbitrary code within the Chrome sandbox
• Potentially escape the sandbox if combined with a separate privilege escalation vulnerability
• Steal sensitive data from the browser session, including cookies, credentials, and session tokens
• Install malware or perform further attacks on the compromised system

The inclusion of this CVE in CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms that exploit code is being used in active cyberattacks. Organizations should treat this as an urgent patching priority.

Affected Versions

Google Chrome versions prior to 149.0.7827.103 are vulnerable on all supported platforms (Windows, macOS, Linux). Users of Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) should also check and apply updates from their respective vendors.

Remediation

Immediate action required:

1. Update Google Chrome to version 149.0.7827.103 or later
2. In Chrome, go to Settings > About Chrome or navigate to chrome://settings/help to trigger the update check
3. Restart the browser to apply the update
4. Enterprise users should deploy the update via their browser management tools (Group Policy, MDM, etc.)

Mitigation if patching is delayed:

• Restrict user browsing activity to trusted sites only
• Use browser isolation tools or virtualized browsing for untrusted content
• Monitor for unusual Chrome process behavior and sandbox escapes
• Consider using application whitelisting to prevent unauthorized executables

Related Threats

This vulnerability is part of a broader trend of actively exploited browser zero-days. For context on ongoing threat activity, see our Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3). Additionally, supply chain threats continue to evolve as seen in the SAP npm packages compromised in credential-stealing attack and the persistent TeamPCP Supply Chain Campaign: Update 008.

Security Insight

CVE-2026-11645 represents yet another V8 OOB vulnerability that Google has had to patch under active exploitation. While the EPSS score of 0.1% suggests targeted rather than widespread exploitation, the CISA KEV listing indicates nation-state or criminal actors are already weaponizing this bug. This pattern mirrors the V8 OOB flaws exploited in Chrome zero-days throughout 2024-2025, suggesting Google’s optimization-driven V8 development continues to trade security for performance in ways attackers routinely exploit. Organizations should consider enabling Chrome’s site isolation and rendering process sandbox as defense-in-depth against future V8 vulnerabilities.

Further Reading

• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• SAP npm packages compromised in credential-stealing att
• TeamPCP Supply Chain Campaign: Update 008 - 26-Day Paus
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs