Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild — Patch Now
The fifth in-the-wild Chrome zero-day of the year, in the V8 JavaScript engine, is now patched — but the attack pattern shows no sign of slowing.
Key Takeaways
|
The fifth in-the-wild Chrome zero-day of 2026, in the V8 JavaScript engine, is patched — and the pattern is not slowing.
MOUNTAIN VIEW, CALIFORNIA — Google on June 9, 2026, shipped a Chrome Stable update fixing CVE-2026-11645, a zero-day in V8 — Chrome's JavaScript engine — that was already being exploited in the wild before the company disclosed it. It is the fifth in-the-wild Chrome zero-day of 2026, and Google is urging users to update immediately.
As is standard practice, Google is withholding technical details of the flaw and the in-the-wild attacks until a majority of users have installed the fix. Chrome updates in the background, but the patched build only takes effect once the browser is restarted — which means the safest move is to relaunch Chrome now rather than wait for the next routine close.
| At a Glance | |
|---|---|
| Field | Details |
| CVE | CVE-2026-11645 |
| Component | V8 — Chrome's JavaScript engine |
| Class | Out-of-bounds memory access in V8 |
| Status | Exploited in the wild before disclosure |
| Fix shipped | Chrome Stable update, on/around June 9, 2026 |
| Significance | Fifth in-the-wild Chrome zero-day of 2026 |
| Action | Update Chrome and restart the browser |
What CVE-2026-11645 Is
CVE-2026-11645 is a vulnerability in V8, the JavaScript engine at the core of Chrome and other Chromium-based browsers. V8 is the component that compiles and runs the JavaScript on every web page a user visits, which makes a flaw there reachable simply by loading a malicious or compromised page — no download or click required beyond visiting the site.
According to The Hacker News, the bug is an out-of-bounds memory access in V8, a class of memory-safety defect in which code reads or writes outside the bounds it is supposed to stay within. Google has confirmed the flaw was exploited in the wild before it was patched, the hallmark of a zero-day: defenders learned of the bug only after attackers were already using it.
Google, as is its custom for actively exploited browser bugs, has not released the technical specifics of the vulnerability or described the attacks. It says it will hold those details back until the patched version has reached the majority of Chrome's user base, to avoid handing a roadmap to other attackers while users are still updating.
Five Chrome Zero-Days in Six Months — a Pattern
CVE-2026-11645 is, by The Register's count, the fifth Chrome zero-day exploited in the wild in 2026 — five actively exploited browser bugs in roughly the first half of the year. Several of this year's in-the-wild Chrome zero-days have centered on V8, the same high-value engine, underscoring how attractive a target the JavaScript engine has become.
The reason is structural. V8 is enormously complex, performance-critical code written largely in C++, a language without automatic memory safety, and it processes untrusted input from every web page. That combination makes memory-safety bugs both likely to exist and extremely valuable once found: a reliable V8 flaw gives an attacker code execution inside the browser from nothing more than a visited page, which is why these vulnerabilities command high prices and surface in real-world attacks.
The cadence also fits the broader 2026 threat picture. Vulnerability exploitation has become attackers' leading entry point, and zero-days in widely deployed software are increasingly weaponized within days of — or before — disclosure. The CyberSignal has tracked that acceleration across this year's caseload, including our May 2026 CVE Watch roundup and Google's report on the first AI-developed zero-day used in mass exploitation.
Update Instructions and Verification
Chrome downloads updates automatically, but they do not apply until the browser is relaunched, so a long-running Chrome session can stay vulnerable for days. To update and verify, open the menu (the three dots at the top right), go to Help, then About Google Chrome — Chrome will check for and download the latest version. When prompted, click Relaunch to apply it. Confirm afterward that the version shown matches the latest Stable build Google has published for your platform. Users who manage browsers at scale should push the update through their normal patch process; for background on building that discipline, see our explainer on patch management.
The same fix flows to other Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — but on each vendor's own release schedule. Users of those browsers should apply their respective updates as they become available rather than assuming the Chrome fix protects them automatically.
Open Questions
Several details remain unconfirmed, in keeping with Google's practice of withholding specifics for actively exploited bugs. Google has not publicly attributed the in-the-wild exploitation to any named threat actor, has not described the victims or the campaign, and has not detailed how the flaw was being used. Those particulars are likely to emerge only after the patch has propagated widely.
What is established is enough to act on: a memory-safety zero-day in Chrome's JavaScript engine was exploited in the wild, it is the fifth such Chrome zero-day of 2026, and a fix is available now. For a bug reachable by simply visiting a web page, the gap between patched and unpatched is the gap that matters — and closing it takes only a browser restart.
