Google released a Chrome 149 security update that fixes an actively exploited browser flaw, putting Chrome users at risk until they update. The zero-day, CVE-2026-11645, is a high-severity out-of-bounds read/write bug in the V8 JavaScript engine that can let a remote attacker run code inside Chrome’s sandbox via a specially crafted HTML page; exploitation likely requires chaining with a separate sandbox-escape flaw for full compromise. Google said the bug was reported in late April by an anonymous researcher.
info@thehackernews.com (The Hacker News)
2026.06.10
90% relevant
This article appears to advance the same Chrome event by reporting CISA has added the actively exploited Chrome flaw CVE-2026-11645 to KEV, reinforcing that exploitation is confirmed and that affected users and enterprises should prioritize updating Chrome 149 or later.
2026.06.09
97% relevant
This article is a direct update on the same event, adding that CVE-2026-11645 is an out-of-bounds memory access bug in Chrome's V8 JavaScript engine, that Google paid a $55,000 bounty for the report, and that it is the fifth exploited Chrome zero-day fixed in 2026.
info@thehackernews.com (The Hacker News)
2026.06.09
99% relevant
It covers the same underlying event: Google's patch for the actively exploited Chrome V8 zero-day CVE-2026-11645, reinforcing the urgency to update affected Chrome installations.
Sergiu Gatlan
2026.06.09
98% relevant
This article reports the same underlying event: Google's emergency fix for CVE-2026-11645, an in-the-wild exploited Chrome zero-day in Chrome 149, and adds rollout version details for Windows, macOS, and Linux plus technical context that the flaw is an out-of-bounds read/write bug in the V8 engine reachable via crafted HTML.
Eduard Kovacs
2026.06.09
100% relevant
This article establishes a new tracked event centered on CVE-2026-11645, a distinct Chrome zero-day that Google says was exploited in the wild and patched in Chrome 149.