CVE-2026-11645 Overview
CVE-2026-11645 is an out-of-bounds read and write vulnerability in the V8 JavaScript engine used by Google Chrome. The flaw affects Chrome versions prior to 149.0.7827.103 on Windows, macOS, and Linux. A remote attacker can execute arbitrary code inside the Chrome renderer sandbox by serving a crafted HTML page to a target user. Google rates the Chromium severity as High, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The weakness is tracked under [CWE-125] (Out-of-bounds Read) and is paired with an out-of-bounds write, providing both information disclosure and memory corruption primitives. EPSS data places the exploitation probability in the upper percentile, reflecting active interest from threat actors.
Critical Impact
Remote attackers can achieve arbitrary code execution inside the Chrome renderer sandbox by luring a user to a crafted HTML page, enabling follow-on browser exploitation chains.
Affected Products
- Google Chrome versions prior to 149.0.7827.103
- Chrome desktop builds on Microsoft Windows
- Chrome desktop builds on Apple macOS and Linux
Discovery Timeline
- 2026-06-09 - CVE-2026-11645 published to the National Vulnerability Database
- 2026-06-09 - Google releases Chrome Stable channel update 149.0.7827.103
- 2026-06-09 - Last updated in NVD database
- 2026-06-11 - EPSS scoring published placing the CVE in the 90th percentile
Technical Details for CVE-2026-11645
Vulnerability Analysis
The vulnerability resides in V8, the JavaScript and WebAssembly engine that powers Chrome and Chromium-based browsers. V8 performs aggressive optimization on JavaScript code through its TurboFan and Maglev compilers, and incorrect assumptions during these optimization passes commonly produce out-of-bounds memory access. In CVE-2026-11645, V8 reads and writes beyond the bounds of an allocated buffer, giving an attacker both leakage of adjacent memory and the ability to corrupt object metadata. Exploitation requires user interaction in the form of visiting a malicious or compromised web page. Successful exploitation yields arbitrary code execution constrained by the Chrome sandbox, which typically serves as the first stage in a multi-bug chain that pairs the renderer compromise with a sandbox escape.
Root Cause
The defect is an out-of-bounds read combined with an out-of-bounds write inside V8. Such bugs typically stem from incorrect bounds checks on typed arrays, missed range narrowing during JIT optimization, or unsafe assumptions about object shape after speculative compilation. The combination allows attackers to construct addrof and fakeobj primitives commonly used in browser exploitation.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a crafted HTML page containing malicious JavaScript that triggers the V8 memory corruption. Delivery typically occurs through phishing links, malicious advertisements, or compromised legitimate sites. No authentication is required, and exploitation is consistent with the in-the-wild activity tracked by CISA.
No verified public proof-of-concept is currently available. Refer to the Chromium Issue Tracker Entry for technical details once Google lifts access restrictions on the bug report.
Detection Methods for CVE-2026-11645
Indicators of Compromise
- Chrome renderer processes spawning unexpected child processes such as cmd.exe, powershell.exe, or shell binaries on macOS and Linux
- Browser crash reports referencing V8 with access violations in heap regions during JavaScript execution
- Outbound connections from Chrome to newly registered domains immediately after a user visits an unfamiliar link
- Endpoint telemetry showing Chrome versions older than 149.0.7827.103 in active use
Detection Strategies
- Inventory installed Chrome versions across the fleet and flag any build below 149.0.7827.103
- Hunt for anomalous process lineage where chrome.exe or the renderer process initiates code execution outside the browser sandbox
- Correlate web proxy logs with threat intelligence feeds for domains delivering exploit kits targeting Chromium
- Monitor for unusual memory access patterns and renderer crashes reported via Chrome enterprise crash reporting
Monitoring Recommendations
- Enable Chrome Enterprise reporting to centralize version and crash telemetry
- Alert on execution of LOLBins immediately following Chrome renderer activity
- Track DNS and HTTP requests to low-reputation domains from user endpoints
- Review CISA KEV catalog updates and ensure detection content references CVE-2026-11645
How to Mitigate CVE-2026-11645
Immediate Actions Required
- Update Google Chrome to version 149.0.7827.103 or later on Windows, macOS, and Linux endpoints
- Restart Chrome on all managed devices to ensure the patched binary is loaded into memory
- Verify Chromium-based browsers such as Microsoft Edge, Brave, and Opera have received the corresponding upstream V8 fix
- Prioritize patching for users with administrative access or access to sensitive systems given the CISA KEV listing
Patch Information
Google released the fix in the Stable channel update documented in the Google Chrome Stable Update advisory. The patched version is 149.0.7827.103. Enterprise administrators should push the update through Chrome Browser Cloud Management, Group Policy, or their endpoint management platform. Additional context is available in the CISA Known Exploited Vulnerability listing.
Workarounds
- Disable JavaScript for untrusted sites through Chrome site settings or enterprise policy where business workflows allow
- Restrict browsing to allowlisted domains via secure web gateway controls until patching completes
- Deploy site isolation and strict transport security policies to reduce the value of a renderer compromise
- Educate users to avoid clicking unfamiliar links and to report suspicious browser crashes to the security team
# Verify Chrome version on Linux
google-chrome --version
# Force update via Chrome enterprise policy (Windows registry example)
reg add "HKLM\Software\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Google\Update" /v AutoUpdateCheckPeriodMinutes /t REG_DWORD /d 60 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
