Google patches fifth Chrome zero-day exploited in 2026

Google has released emergency updates to patch another Chrome zero-day vulnerability exploited in the wild, marking the fifth such flaw addressed since the start of the year.

Google confirms active exploitation of CVE-2026-11645. The company stated it is aware that an exploit for CVE-2026-11645 exists in the wild, according to its Monday security advisory. The high-severity flaw stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine.

Remote attackers can exploit it via crafted HTML pages to execute arbitrary code inside the browser's sandbox. Successful exploitation enables access to data beyond the memory buffer via heap corruption, exposing sensitive information or triggering a crash. The bug could also bypass protection mechanisms such as ASLR, making it easier to achieve code execution via another weakness.

Patched versions roll out to Stable channel users. Google fixed the zero-day for users in the Stable Desktop channel, with versions 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac. An anonymous security researcher reported the issue two weeks before the patches began rolling out worldwide.

The security update could take days or weeks to reach all Chrome users, though it was available immediately upon checking. Users can rely on Chrome to automatically check for updates and install them during the next launch if they prefer not to update manually.

Google withholds full details on attacks. The company has not shared further details about the incidents involving CVE-2026-11645. Access to bug details and links may be kept restricted until a majority of users are updated with a fix, Google said.

Restrictions will also remain if the bug exists in a third-party library that other projects depend on but have not yet fixed. Google applied the same approach to prior zero-days, including CVE-2024-0519.

Four prior zero-days patched this year. In mid-February, Google addressed an iterator invalidation bug tracked as CVE-2026-2441 in CSSFontFeatureValuesMap. March brought fixes for an out-of-bounds write in the Skia 2D graphics library, CVE-2026-3909, and an inappropriate implementation vulnerability in the V8 engine, CVE-2026-3910.

April saw a patch for a use-after-free weakness in Dawn, CVE-2026-5281, the cross-platform implementation of the WebGPU standard. Last year Google fixed eight additional zero-days exploited in the wild, many identified by its Threat Analysis Group.