Exploited Chrome Zero-Day CVE-2026-11645 (V8 flaw), 5th of 2026

blog/Articles/Exploited Chrome Zero-Day CVE-2026-11645, the 5th of 2026 — Update Chrome Now

News Updated yesterday

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.109 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

Google Chrome, the world's most-used browser, has a serious flaw already used in attacks (CVE-2026-11645), and an emergency fix is out. Opening a trap page alone can hand over your device, and this is the fifth such case in 2026. All Chrome users are affected, as are Edge and Brave. Update to 149.0.7827.103 now. Here's how to check and what's affected.

The world's most-used browser, Google Chrome, has a serious flaw (a security weakness) that is already being used in real attacks, and Google has shipped an emergency fix. It is tracked as CVE-2026-11645. Simply opening a booby-trapped web page can let an attacker's code start running on your device. Google says it is aware that an exploit for this flaw exists in the wild.

This is a flaw that was abused before a fix was ready — what's called a "zero-day." And it is the fifth such case in 2026. In the same Chrome, attacker-usable weaknesses keep getting found and patched. The U.S. agency CISA has also added it to its catalog of vulnerabilities under active attack (KEV). And it isn't only Chrome: as explained below, browsers built on the same foundation, like Edge and Brave, are affected too.

There is one thing to do: update Chrome to the latest version (149.0.7827.103). This article explains, in plain terms, how to check and update your Chrome right now, what this flaw lets attackers do, why the heart of the browser keeps getting targeted, and what to watch for at home and at work.

How to check and update your Chrome right now

The bottom line first. This flaw is closed once Chrome is on 149.0.7827.103 (desktop) or later. To check, click the "⋮" (three dots) at the top right of Chrome and open "Help" → "About Google Chrome." It will automatically check for and apply the latest version. When it finishes, be sure to click "Relaunch" to apply it. If you only downloaded the update but never relaunched, you keep running the old, vulnerable version.

Your environment	Fixed version	What to do now
Windows / Mac	149.0.7827 .102 / .103	Update via "About Chrome," relaunch
Linux	149.0.7827 .102	Same, or update via package manager
Android phone	Rolling out	Update Chrome in the Play Store
Edge / Brave, etc.	Apply each vendor's update	Same foundation, so update needed

Keep in mind that the update rolls out gradually over days to weeks. "About Chrome" may not show the latest right away, but checking manually can speed it up. If you manage many PCs at work, have IT push the update centrally. Note that Chrome on iPhone runs on Apple's engine (WebKit) and is not the direct target of this V8 flaw — but keeping the whole OS up to date matters regardless.

What happens, and why just opening a trap page is dangerous

The flaw is in "V8," the heart of Chrome. V8 is the engine that runs the programs (JavaScript) written into web pages quickly, and it runs for nearly every page you view. CVE-2026-11645 is a bug where V8 reads and writes memory outside the range it should. The technical classes are out-of-bounds read (CWE-125) and out-of-bounds write (CWE-787), and the severity is rated a high 8.8 out of 10.

What's frightening is how easy the attack is. Per NVD (the U.S. vulnerability database), an attacker only has to get you to open a crafted HTML page (that is, an ordinary web page) to run their code inside Chrome. No suspicious file to download, nothing to install. It can happen the instant you open a page reached via an ad, a hijacked legitimate site, or a link in email or social media. Chrome has a safety mechanism called the "sandbox" (an isolation box) to contain damage, but memory flaws like this are known to be used as a stepping stone to break out of that box.

And this is a "zero-day" — a flaw already used in attacks before a fix existed. While Google acknowledges that an exploit is circulating, it is withholding details of the method until updates reach most users. That is Chrome's standard practice, because publishing details would help other attackers target those who haven't patched. Put the other way: a device you haven't updated could be hit at any time using a technique that is already known.

Who targets this flaw, and what they're after

You might think, "a browser bug, really?" But the browser is now where we keep our work, our money, and our relationships. Online banking, work email and systems, social media, shopping, saved passwords — Chrome is the doorway to all of it. A flaw that lets someone inside that Chrome just by getting you to open a trap page is, to an attacker, close to a master key. The fact that an exploit is already circulating means people who want that value are actively moving.

The ones coming for it are not an abstract "hacker." Concretely, they are state-backed espionage groups who want to quietly plant surveillance tools on a specific person's device, surveillance vendors who target journalists, activists, and executives to siphon communications and location, money-driven crime groups who steal saved logins and cookies to take over bank accounts and online accounts, and brokers who resell the break-in paths they harvest. What they want is your saved passwords and logged-in sessions, your online-banking screens, your work correspondence, and your contacts and photos. The instant a crafted page is opened in Chrome, the first step toward all of the above passes to the attacker's side.

What makes zero-days especially nasty is that the first target is often "one specific person." Many zero-days used in real attacks start in sophisticated operations against particular high-value individuals, and only later does the technique spread down to ordinary users. So here too, even if the attacks are currently limited to select targets, once the technique gets out, the damage can spread — via trap ads and hijacked sites — to everyday people just reading news sites or watching videos.

And the ones who bear the harm are not some special few; they are perfectly ordinary users who put off updating. Unauthorized bank transfers, hijacked social accounts via impersonation, company data walking out, leaked family photos and contacts — the number 8.8 is only a gauge of technical severity, and what a single trap page actually costs you is your life and work themselves. The update takes a few minutes. Whether you spare those minutes is what decides whether you become the one who gets hit.

The fifth this year: why the browser's core keeps getting targeted

CVE-2026-11645 is the fifth exploited Chrome zero-day Google has fixed in 2026. Overseas media call it "Whac-A-Mole." The previous one (the fourth) was an attacker-used flaw patched in a hurry not long ago, and the same thing keeps repeating at short intervals. This flaw was reported by an anonymous researcher in late April 2026, and a $55,000 bounty was reportedly paid for the responsible disclosure.

Why does a component like V8 get targeted again and again? The reason is simple: almost everyone in the world feeds code into it, every day, with their guard down. Every time you open a web page, that page's JavaScript runs in V8. To an attacker, holding a single V8 weakness means they don't need to send you mail or make you open a file — just "show you a page" and they can reach into your device. No other attack surface is this wide and this reliable, which is why large bounties move and attackers concentrate their resources there. The browser's safety box (the sandbox) keeps getting stronger year by year, yet flaws that break it keep getting found — that tug-of-war is what "Whac-A-Mole" really is.

From disclosure to fix

Here is the timeline from when this zero-day was reported to when the emergency fix was distributed — including the fact that this is already the fifth time this year.

← Swipe to move

How to read the risk right now

✓ Confirmed facts

✓CVE-2026-11645 is an out-of-bounds read/write flaw in Chrome's core V8; merely getting a user to open a crafted page can lead to code execution. Rated 8.8 (NVD)
✓Google acknowledged an in-the-wild exploit and released the emergency fix 149.0.7827.102/.103; CISA added it to KEV (SecurityWeek)
✓The fifth exploited Chrome zero-day fixed in 2026. Reported by an anonymous researcher, with a $55,000 bounty paid

? Not yet confirmed

?The specific method and the attackers — Google is withholding details until updates reach most users. Who was targeted, and how widely, is unknown at publication time
?The scale of harm — how many victims there were has not been disclosed. Zero-days are often first used against select targets

Stated plainly: neither the attack details nor the scale of harm has been disclosed yet. At the same time, "an exploit is already circulating, it can trigger just by opening a page, and there are billions of users" means the risk of doing nothing is enormous. And the fix is already out. Rather than scrambling once exploitation spreads, taking a few minutes to update now is the cheapest, surest defense.

What to do now

At home and at work, the steps are simple.

Open Chrome's "⋮" → "Help" → "About Google Chrome" and check that you are on 149.0.7827.103 or later. If older, update and be sure to click "Relaunch"
On an Android phone, check the Play Store for a Chrome update
Edge, Brave, Opera, Vivaldi and other browsers built on the same foundation (Chromium) share this flaw. Apply each browser's update when it appears
If you run many devices at work, have IT push updates and verify the rollout status
Until you've updated, be extra careful not to casually open unfamiliar links, ads, or sites you don't recognize

Prioritize devices used for online banking or work systems. This attack doesn't even require opening a file — just displaying a page can be enough, so the old mindset of "I never open suspicious files, so I'm fine" isn't enough on its own. The basic defense is to get to the latest version before the attacks spread.

FAQ

Q. I don't visit shady sites. Am I still at risk?

Yes, don't let your guard down. This attack can trigger even when a familiar, legitimate site has been hijacked and seeded with a trap, or when a displayed ad redirects you to a trap page. "I'm safe because I don't visit shady sites" is not a guarantee. The sure move is to keep Chrome updated.

Q. Is Chrome on my phone affected?

Chrome for Android is affected, with updates rolling out; check the Play Store. Chrome on iPhone (iOS), however, runs on Apple's engine (WebKit), so it is not the direct target of this V8 flaw. Still, keeping your OS and apps up to date matters regardless.

Q. What is a zero-day?

It's a flaw already being used in attacks before a fix (patch) is ready. The name reflects that developers have "zero days" of lead time to respond. Because defenders are on the back foot, it is more dangerous, and applying the fix as soon as it's out is essential.

Q. I use Edge or Brave. Does this concern me?

Yes. Microsoft Edge, Brave, Opera, and Vivaldi are built on the same foundation as Chrome (Chromium) and share this V8 flaw. Each vendor ships its own fix, so apply it as soon as it appears.

In summary

CVE-2026-11645 is a zero-day in V8, the heart of the world's most-used browser, Google Chrome, that is already being abused in attacks. It's a serious flaw where merely getting you to open a crafted web page can run an attacker's code on your device, rated 8.8. Google shipped the emergency fix 149.0.7827.102/.103, and CISA added it to its catalog of vulnerabilities under active attack. This is already the fifth of 2026 — the "Whac-A-Mole" over browser weaknesses continues.

It's not only Chrome: browsers built on the same foundation, like Edge and Brave, are affected too. There is one thing to do — open "About Google Chrome," update to 149.0.7827.103 or later, and relaunch. Because this attack can trigger just from viewing a page, without opening a file, the "don't touch suspicious things" mindset alone won't protect you. The update takes a few minutes. Those few minutes are the cheapest insurance for your accounts, your logins, and your work.