Google has patched CVE-2026-11645, a high-severity zero-day vulnerability in Chrome's V8 JavaScript engine that attackers actively exploit. The flaw carries a CVSS score of 8.8 and permits out-of-bounds memory read and write operations within V8.
The vulnerability affects Chrome versions prior to 149.0.7827.103. Out-of-bounds memory access vulnerabilities allow attackers to read or modify data outside intended memory boundaries, creating pathways for remote code execution, data theft, or browser sandbox escape. V8 powers billions of Chrome installations globally, making this flaw a widespread concern.
Google's update bundle addressed 74 total vulnerabilities across the browser. The company classified CVE-2026-11645 as in-the-wild exploitation, meaning threat actors have deployed working attacks before patches existed. Users who delayed updates face active risk.
Chrome distributes updates automatically, but machines running older versions remain vulnerable until systems restart or users manually update. Enterprise environments controlling rollout schedules should prioritize this patch. Organizations running unmanaged Chrome instances need immediate verification that all endpoints have received version 149.0.7827.103 or later.
Attackers exploiting memory access flaws typically deliver malicious JavaScript through compromised websites, malvertising networks, or targeted phishing campaigns. Victims visiting infected pages risk silent infection without user interaction. The V8 engine's performance optimizations, while beneficial for speed, sometimes create memory safety gaps that researchers and attackers identify.
Organizations should verify Chrome version compliance across their infrastructure. IT teams managing Chromebooks, Chrome browser deployments, or web-based applications face particular urgency. Users running Chrome on personal machines should check Settings > About > Google Chrome to trigger immediate updates if pending.
V8 vulnerabilities remain attractive targets because the engine processes untrusted JavaScript