What is CVE-2026-11645 in Google Chrome?

CVE-2026-11645 is a high-severity out-of-bounds read and write flaw in Chrome V8 that Google says has an exploit in the wild.

Can the Chrome CVE-2026-11645 flaw lead to remote code execution?

Yes. The flaw can allow a remote attacker to execute arbitrary code inside Chrome's sandbox by using a crafted HTML page on a vulnerable browser.

Which Chrome versions include the patch for CVE-2026-11645?

The patched Stable Desktop versions are Windows 149.0.7827.102, Mac 149.0.7827.103, and Linux 149.0.7827.102.

How can users check whether Chrome is updated?

Users can enter chrome://settings/help in the Chrome address bar, press Enter, and let Chrome check for updates; if an update is found, Chrome will prompt them to download and install it.

Did Google publish technical details about the Chrome zero-day attacks?

No. Google said it may keep bug details and links restricted until most users have updated, and it did not share attack details.

Chrome Zero-Day Lets Attackers Run Code, Patch Now

The vulnerability, tracked as CVE-2026-11645, is a high-severity flaw in Chrome V8 that can allow remote code execution through crafted HTML in Chrome versions before 149.0.7827.103, according to TechRadar Pro. The immediate question for users and IT teams is simple: has Chrome actually relaunched after installing the patch?

Google ships emergency Chrome zero-day fix for actively exploited V8 code execution bug

Google’s advisory says the bug is an out-of-bounds read and write issue in V8, Chrome’s JavaScript engine. The company gave CVE-2026-11645 a severity score of 8.8/10, placing it in the high-severity category.

The exploit path matters. A remote attacker can use a crafted HTML page to trigger the flaw and execute arbitrary code inside Chrome’s sandbox. That still leaves a boundary between the browser and the wider system, but it’s serious enough that Google moved patches into the Stable Desktop channel.

“Google is aware that an exploit for CVE-2026-11645 exists in the wild,” Google said in the advisory.

Google has not published technical exploit details. It said access to bug details and links may stay restricted until most users have received the fix, and that restrictions may remain if the flaw sits in a third-party library used by other projects that have not yet patched.

That withholding is not secrecy for its own sake. XOOMAR analysis: when exploit details are public before users update, defenders gain information, but so do copycats. Google’s language points to a familiar emergency-patch tradeoff: get fixes installed first, explain the bug later.

Patched desktop versions are now live:

Platform	Patched Chrome version
Windows	149.0.7827.102
Mac	149.0.7827.103
Linux	149.0.7827.102

BleepingComputer reported that this is the fifth Chrome zero-day Google has patched since the start of the year, and that the fix arrived two weeks after an anonymous security researcher reported the issue to Google.

Chrome zero-day raises file and session theft risk for users handling sensitive data

The practical danger is not abstract. TechRadar Pro notes that, in theory, the flaw could be used to steal corporate emails, documents, session cookies, or other sensitive information.

That does not mean Google has confirmed a specific theft campaign tied to CVE-2026-11645. It has not named attackers, targets, victims, or affected sectors. The known facts are narrower: an exploit exists in the wild, the flaw affects Chrome V8, and crafted HTML can trigger code execution inside the browser sandbox.

Could a normal web page become the attack surface? Yes, if the page is weaponized and the browser is vulnerable.

That is why browser zero-days draw fast attention. Chrome sits between users and almost everything they do online: email, cloud documents, dashboards, identity portals, trading accounts, admin panels, and internal tools. A malicious page does not have to look like a traditional software download to create risk.

XOOMAR analysis: the highest priority is not a demographic group Google has not identified. It is any machine where Chrome can touch valuable data. Start with devices used for corporate email, document access, session-heavy web apps, financial accounts, identity workflows, and administrative systems.

This patch also lands in a wider zero-day response environment where speed matters. XOOMAR has recently covered other active-exploitation stories, including No Patch Yet as PeopleSoft Zero-Day Opens RCE Door and 4-Hour BitLocker Zero-Day Cracks Windows SYSTEM Shell. Those are separate cases, not evidence about this Chrome exploit, but they show why patch timing has become an operational discipline rather than a routine maintenance task.

Google’s limited disclosure leaves important gaps. We do not know how attackers are delivering the exploit, whether it has been used broadly or narrowly, or whether any stolen data has been confirmed.

That uncertainty cuts one way for users: update first.

How to confirm your Chrome browser has the zero-day patch installed

Chrome usually updates automatically, but automatic updates can still leave a window of exposure if the browser has not restarted. The safest move is to check manually and relaunch.

Use this path:

Open Chrome: Launch the browser on your desktop.
Go to settings: Type chrome://settings/help in the address bar and press Enter.
Let Chrome check: The browser will look for available updates.
Install if prompted: Allow the update to download and install.
Relaunch Chrome: The patch does not fully take effect until the browser restarts.

Which devices need attention? All of them. Check work laptops, personal machines, shared desktops, secondary Chrome profiles, and managed browsers that may be waiting for a restart.

For security teams, the priority is fleet confirmation. Verify that endpoints have moved to 149.0.7827.102 on Windows and Linux or 149.0.7827.103 on Mac, then look for machines where Chrome downloaded the update but users delayed relaunching.

Admins should also watch Chromium-based browsers for vendor updates if those vendors issue matching patches. The supplied source material confirms the Chrome fix, not fixes from other browser makers, so that check needs to happen through each vendor’s own release channel.

After patching, users who believe they may have visited suspicious pages should watch for unusual account activity. That is especially relevant for accounts where browser sessions, cookies, or cloud documents are valuable.

The next signal will come from Google’s disclosure posture. If the company opens more bug details after most users update, defenders may learn whether CVE-2026-11645 was chained with other flaws, used in targeted attacks, or mainly abused through malicious web pages. Until then, the only confirmed defense is the patched Chrome build plus a full browser restart.

Key Takeaways

Attackers are already exploiting CVE-2026-11645 in the wild.
The flaw affects Chrome desktop users on Windows, Mac, and Linux before version 149.0.7827.103.
Users and IT teams need to confirm Chrome has relaunched after updating so the patch is actually applied.