Chrome V8 zero-day CVE-2026-11645 exploited in wild

What Happened

Google has released an emergency security update for its Chrome browser, addressing 74 vulnerabilities in the stable channel. Among these is CVE-2026-11645, a high-severity vulnerability in the V8 JavaScript engine that is actively being exploited in the wild. Google’s Threat Analysis Group (TAG) confirmed the existence of an exploit for this flaw, though detailed attack campaigns have not yet been publicly attributed to a specific threat actor. Users across Windows, macOS, and Linux platforms are affected.

Why It Matters

CVE-2026-11645 is a V8 JavaScript engine issue that allows remote code execution via a crafted HTML page. With active exploitation confirmed, any user visiting a malicious website is at risk of a full browser and system compromise. For enterprises relying on Chrome for internal applications, customer portals, or remote access, this represents an immediate threat. Attackers often weaponize such zero-days as initial access vectors into corporate networks, targeting employees through phishing campaigns or watering-hole attacks. Organizations with unpatched browsers remain exposed until the update is deployed.

Technical Details

CVE-2026-11645 (CVSS score not yet published by Google, but rated high severity) is a type confusion vulnerability in Chrome’s V8 engine. By crafting a malicious HTML page, an attacker can trigger memory corruption and achieve arbitrary code execution within the browser’s sandbox. While the sandbox isolates the renderer process, successful exploitation can be chained with a sandbox escape (such as CVE-2026-7896, a heap corruption bug in Chrome’s networking stack) to gain full system access. The active exploit is known to bypass recent V8 hardening mitigations.

Affected versions: Chrome versions prior to 132.0.6834.110 for Windows, macOS, and Linux. Users should check chrome://settings/help for the current version.

Google has not released public IOCs or exploit code, but YARA rules for detecting malicious Chrome processes or JavaScript files in transit are available from select threat intelligence partners.

Immediate Risk

The risk is critical. Active exploitation of a V8 zero-day in Chrome, which holds over 65% of the browser market share, puts billions of users at risk. The severity increases for enterprises without centralized browser management or automatic updates enabled. Attackers are already using this vulnerability in targeted attacks, likely against high-value sectors like technology, finance, and government. Patching should be treated as an emergency, with a 24-hour deployment window recommended for all user endpoints.

Security Insight

This is the third V8 zero-day exploited in the wild in the last 14 months, indicating that Google’s V8 hardening efforts-such as pointer compression and JIT hardening-are being systematically probed by advanced persistent threat (APT) groups. Rather than relying solely on Google’s patch cadence, organizations should deploy browser isolation or virtualization for high-risk browsing sessions. Additionally, consider restricting JavaScript execution in untrusted contexts via Content Security Policy headers or enterprise browser policies. This shifts the defensive burden from a race-against-patches to a proactive containment posture.

Further Reading

• Chrome V8 RCE actively exploited (CVE-2026-11645)
• Chrome heap corruption via crafted page (CVE-2026-7896)
• Chrome Linux RCE via Chromoting (CVE-2026-7898)
• Latest Security News
• CVE Advisories
• Data Breach Reports