Google pushed an emergency Chrome 149 update on Monday to fix CVE-2026-11645, a V8 JavaScript engine flaw attackers are already exploiting in the wild. The patch is the fifth Chrome zero-day Google has shipped a fix for in 2026.
Versions 149.0.7827.102 and 149.0.7827.103 for Windows and Mac, and 149.0.7827.102 for Linux, contain the fix. Google said the rollout could take days or weeks to reach every installation, and the standard advice is to force the update rather than wait.
What the V8 Flaw Actually Does
CVE-2026-11645 is an out-of-bounds read and write in V8, the open-source JavaScript and WebAssembly engine that runs every script in every Chrome tab. The bug lets a program read from or write to memory locations outside the buffer the engine allocated for the script.
Attackers can trigger the flaw by convincing a user to load a crafted HTML page. The page does not need to download anything or trick the visitor into clicking; just opening the malicious tab is enough. Successful exploitation gives the attacker access to data outside the buffer through heap corruption, exposing sensitive information or crashing the browser in the process. Some variants can also leak memory contents back to the page, giving attackers a read primitive they can pair with the write primitive to fully control the browser process.
Out-of-bounds access also threatens defenses such as Address Space Layout Randomization, the memory layout protection that makes modern exploits harder to chain. Bypassing ASLR makes it easier for an attacker to follow the V8 bug with a second flaw and escape the browser sandbox entirely. The sandbox is what keeps a browser compromise from becoming a system compromise, and losing it is the step that turns a single bug into a full intrusion on the device.
The Patch and How to Install It
Google’s Monday Chrome security advisory lists the patched build numbers and notes that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.” The company added that the same restrictions may stay in place if a third-party library that other projects depend on has not yet shipped its own fix. Google has not yet linked a proof-of-concept, named an attacker group, or attributed the in-the-wild use to any specific campaign, and the standard policy of withholding technical detail until most users have updated remains in force.
The update will reach most users over the coming days and weeks as Chrome’s automatic updater rolls it out. Anyone who wants the fix on the device right now can force the download through the browser’s built-in update path. The Chrome team recommends a four-step manual process:
- Open Chrome and click the three-dot menu in the top-right corner.
- Select Help, then About Google Chrome.
- Wait while Chrome downloads and installs the update.
- Relaunch the browser when prompted to finish installation.
The Fifth Chrome Zero-Day of 2026
Google has now patched five Chrome zero-days in 2026, four of them memory-safety flaws in different browser components. The two-month run between the first February disclosure and the current V8 patch delivers five in-the-wild Chrome zero-days on the books before July. The four earlier fixes came in CSS, Skia, V8, and Dawn, and the new V8 disclosure puts a second V8 memory flaw on the same list this year.
In mid-February 2026, Google patched CVE-2026-2441, a use-after-free bug in the CSSFontFeatureValuesMap component that handles CSS font feature values inside the rendering engine. One month later came a pair: CVE-2026-3909, an out-of-bounds write in Skia, the 2D graphics library Chrome uses to draw web content, and CVE-2026-3910, an implementation flaw in V8 itself. Both March flaws carried CVSS scores of 8.8, and Chrome’s March emergency update that patched two zero-days is the previous public marker of the trend. CISA added the Skia and V8 bugs to its Known Exploited Vulnerabilities catalog shortly after disclosure.
April brought the fourth, CVE-2026-5281, a use-after-free bug in Dawn, the cross-platform WebGPU implementation used by Chromium for hardware-accelerated graphics. CISA added that one to the same catalog and gave federal agencies a 14-day patching window. The V8 memory access bug Google disclosed this week is the fifth, and the breakdown looks like this.
| CVE | Month Patched | Component | Vulnerability Type |
|---|---|---|---|
| CVE-2026-2441 | February 2026 | CSSFontFeatureValuesMap | Use-after-free |
| CVE-2026-3909 | March 2026 | Skia | Out-of-bounds write |
| CVE-2026-3910 | March 2026 | V8 | Inappropriate implementation |
| CVE-2026-5281 | April 2026 | Dawn (WebGPU) | Use-after-free |
| CVE-2026-11645 | June 2026 | V8 | Out-of-bounds memory access |
V8 Keeps Producing the Same Class of Memory Bug
V8 is now on its second actively exploited zero-day of 2026, and the same defect class has surfaced across the rest of the year. Four of the five 2026 Chrome zero-days are memory-safety flaws, and the one that is not, the March V8 implementation bug, is a closely related class of browser-engine error. The same component class keeps delivering flaws with the same root cause, and the same engine shows up twice on the same list in the same half.
That recurrence is not an accident. V8 is the most heavily exercised piece of code in any Chrome session, parsing and compiling JavaScript on every page load. The engine is written largely in C++, a language that does not enforce memory safety at compile time, and bugs in how it handles typed arrays, JIT-compiled code, or WebAssembly are how the worst classes of browser exploits begin. Chrome has shipped more than 3.5 billion users on the same engine.
Out-of-bounds reads and writes, the specific failure mode in CVE-2026-11645, are among the most valuable vulnerabilities on the market because they are reliable. Once a researcher or attacker finds one, they can often use it as the first link in a chain that ends in code execution outside the sandbox. Google’s $55,000 bug bounty for the V8 disclosure, paid to the anonymous researcher who reported it, sits at the high end of what Google pays for V8 memory bugs that arrive in unpatched Chrome.
Memory-safety bugs dominate Chrome’s exploited-flaw list because the underlying code base is large, written in C and C++, and runs constantly on billions of devices. Google, Microsoft, and other major vendors have publicly committed to migrating more of their code to memory-safe languages such as Rust, and Google’s own security team has credited its memory-safety work for catching flaws in V8 before they ship. The scale of the existing C and C++ code base, however, means the migration is a multi-year project rather than a near-term fix.
Browser Zero-Days in a Wider 2025-2026 Pattern
Google’s Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025, more than the 78 in 2024 but down from the 100 high in 2023, according to the 2025 zero-days annual review. The total has stayed in a 60 to 100 range for the past five years, with the 2025 number elevated compared to pre-2021 levels. Enterprise and mobile platforms absorbed most of the 2025 share.
Browsers accounted for less than 10% of the 2025 total, a drop GTIG attributes to hardening work in Chrome and other major browsers. Operating systems, especially mobile, gained share, with 15 mobile zero-days in 2025, up from 9 in 2024. Enterprise software and security appliances absorbed 48% of the year’s tracked zero-days, an all-time high, and GTIG frames the enterprise shift as a structural change in the threat landscape.
Many of the eight Chrome zero-days Google fixed in 2025 came from reports by Google’s Threat Analysis Group, the same team that tracks spyware operations. The pace in 2026, with five Chrome zero-days already, has the browser heading above last year’s count, and the same Chrome 149 build line that carried a record-breaking 429-flaw release earlier in June is the one now delivering the V8 fix.
- 90 zero-days tracked in 2025 by Google Threat Intelligence Group
- 48% of 2025’s tracked zero-days targeted enterprise technologies
- 15 mobile zero-days in 2025, up from 9 in 2024
- 8 Chrome zero-days fixed by Google in 2025
- 5 Chrome zero-days fixed by Google in the first half of 2026
Action Steps for Users and Admins
Chrome’s emergency update covers roughly 3.5 billion users, and the safest move is to install Chrome 149.0.7827.102 on every device you control. The release is a 74-fix patch batch that includes 17 critical-rated flaws and the V8 zero-day, which is why the manual update path through Help then About Google Chrome is the fastest way to land the fix.
Users running Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should monitor their vendor’s advisory feed. Google has not yet shipped corresponding patches to every downstream product, and disclosure restrictions may keep technical details limited until a majority of Chrome users have updated. For organizations, push the fix through managed device channels rather than waiting for the auto-updater, and treat any link to an unverified site as risky until the patch is on the device. The browser sandbox keeps a single bug from being a system compromise, and the patch removes the specific in-the-wild exploit Google disclosed on Monday.
- Force-install Chrome 149.0.7827.102 (Windows/Linux) or 149.0.7827.103 (Mac) through the Help menu.
- Check any managed or corporate Chrome deployments for the same version string.
- Watch for updates from your Chromium-based browser vendor and apply them the same day.
- Treat any link to an unverified site as risky until the patch is on the device.
Frequently Asked Questions
What is CVE-2026-11645?
CVE-2026-11645 is the identifier Google assigned to an out-of-bounds read and write vulnerability in the V8 JavaScript engine inside Chrome. The flaw lets a crafted web page read or write memory outside the buffer V8 allocated, and an exploit for it is already being used in real attacks against Chrome users.
Which Chrome versions contain the fix?
The fixed builds are 149.0.7827.102 for Windows, 149.0.7827.103 for Mac, and 149.0.7827.102 for Linux. The same release ships 74 security fixes in total, including 17 that Google classified as critical and the high-severity V8 bug.
Is my browser patched automatically?
Chrome checks for updates on launch and rolls them out gradually, which can take days or weeks. The browser’s manual update path, Help then About Google Chrome, downloads and installs the patch on demand, and that is the recommended way to get the fix right away.
How serious is this compared to past Chrome zero-days?
Google classified CVE-2026-11645 as high severity, not critical. The active exploitation and the fact that the same V8 class of memory bug has produced multiple in-the-wild zero-days this year make it more urgent than a typical high-severity flaw.
Should I worry about other Chromium-based browsers?
Yes, in the sense that any Chromium-based browser shares the V8 engine, but the patch timeline varies. Edge, Brave, Opera, Vivaldi, and other Chromium products depend on their own maintainers to ship a corresponding update, and that can lag Google’s release by hours or days.





