A high-severity zero-day vulnerability (CVE-2026-11645) in the Chrome V8 JavaScript engine was exploited in the wild, involving out-of-bounds read and write operations. This flaw enables remote attackers to execute arbitrary code inside the browser sandbox by delivering crafted HTML content. The vulnerability can expose sensitive memory data or cause crashes and can be leveraged to bypass security protections such as ASLR. Google released emergency patches for Chrome Stable Desktop versions on Windows, Mac, and Linux to address this issue. The update was made available shortly after an anonymous researcher reported the flaw. This zero-day is the fifth actively exploited Chrome vulnerability patched in 2026, with Google maintaining restrictions on detailed disclosure until widespread patch deployment.

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code within the Chrome browser sandbox, potentially exposing sensitive information or causing browser crashes. It also facilitates bypassing security mechanisms like ASLR, increasing the likelihood of further code execution exploits. The vulnerability has been actively exploited in the wild, indicating real-world risk to users running unpatched versions of Chrome on Windows, Mac, and Linux platforms.

Google has released official patches for this zero-day vulnerability in Chrome Stable Desktop versions 149.0.7827.102 (Windows/Linux) and 149.0.7827.103 (Mac). Users should update their Chrome browsers immediately to these or later versions to mitigate the risk. Chrome typically updates automatically on launch, but manual update checks can accelerate patch deployment. Since the update is already available, no additional mitigation steps are required beyond applying the official patch.