HiveForce Labs · Threat Advisory · Vulnerability Report
Google has patched an actively exploited zero-day in the Chrome V8 JavaScript engine — CVE-2026-11645 — an out-of-bounds read/write vulnerability that can enable memory corruption, information disclosure, and potentially arbitrary code execution. A victim visiting a malicious web page is all that is required. All Chrome versions before 149.0.7827.103 on Windows, macOS, and Linux are affected. Update immediately.
CVE-2026-11645149.0.7827.102149.0.7827.103Section 01
Google has released an emergency patch for CVE-2026-11645, a high-severity zero-day in the V8 JavaScript and WebAssembly engine powering Google Chrome and all Chromium-based browsers. The vulnerability is an out-of-bounds read/write flaw (CWE-125 / CWE-787) in Chrome's JavaScript execution component, enabling memory corruption, sensitive data exposure, and potentially arbitrary code execution — all without any user interaction beyond visiting a malicious web page. Google has confirmed active in-the-wild exploitation. No information has been disclosed regarding threat actors, targeted sectors, geographic focus, or post-exploitation activity.
The fix ships as Chrome 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for macOS, released as part of a broader emergency security rollout. Because V8 is shared across all Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — organisations must audit and update all derivative browsers in addition to Chrome itself.
| CVE ID | Name | Affected Product | Zero-Day | CISA KEV | Patch |
|---|---|---|---|---|---|
| CVE-2026-11645 | Google Chromium V8 Out-of-Bounds Read and Write Vulnerability | Google Chrome (all versions before 149.0.7827.103) |
✓ | ✓ | ✓ |
Section 02
Root Cause: Out-of-Bounds Memory Access in V8 (CWE-125 / CWE-787)
The V8 engine is the open-source JavaScript and WebAssembly runtime responsible for compiling and executing JavaScript code within web pages in Chrome and all Chromium-based browsers. CVE-2026-11645 stems from an out-of-bounds memory access issue that permits unauthorized read and write operations beyond allocated memory boundaries — classified as both CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write). V8 remains a prime target for attackers seeking reliable browser exploitation paths.
Impact: Memory Corruption to Arbitrary Code Execution
Out-of-bounds read/write flaws in browser engines are particularly dangerous because they can enable attackers to corrupt neighboring memory objects, expose sensitive information from process memory, and build arbitrary read/write primitives. These primitives provide significant control over browser memory — making this class of bug a recurring feature in sophisticated browser exploitation chains used by both nation-state actors and cybercriminal groups.
Zero-Click Drive-By: Single Page Visit Sufficient
Exploitation requires only that an attacker host or compromise a malicious web page crafted to trigger the vulnerable code path in V8. Once a victim visits the page, the flaw can be exploited without any further user interaction. This zero-click drive-by delivery model makes CVE-2026-11645 especially high-risk for any organisation where users browse the web on Chrome or any Chromium-based browser.
Active Exploitation Confirmed — Attribution Withheld
Google has confirmed that CVE-2026-11645 has been exploited in the wild, with the earliest known exploitation dating to April 27, 2026. At present, no information has been disclosed regarding the threat actors involved, targeted sectors, geographic focus, or post-exploitation activity — consistent with Google's standard practice of withholding attribution details until patching reaches sufficient rollout coverage.
| CVE ID | Affected Product | Affected CPE | CWE |
|---|---|---|---|
| CVE-2026-11645 | Google Chrome before 149.0.7827.103 (Windows, macOS, Linux) |
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* | CWE-125, CWE-787 |
Section 03
Update Chrome Immediately
Apply the Chrome 149 stable channel update without delay. Patched versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for macOS. Use enterprise endpoint management or browser management policies to push updates across all managed endpoints, and verify deployment via software inventory reporting.
Force Browser Relaunch After Update
Chrome downloads updates in the background, but the patched binary does not take effect until the browser restarts. In managed environments, enforce relaunch policies or maintenance window prompts to ensure users are actually running the patched version. Track patch deployment and relaunch compliance as distinct metrics.
Restrict High-Risk Browsing While Patches Propagate
For endpoints where immediate patching is not possible — kiosk devices, VDI golden images, or systems with change management constraints — temporarily increase controls around high-risk web browsing. Consider limiting access to uncategorized URL categories, enforcing web isolation for untrusted content, or deploying browser-level exploit protection mechanisms.
Monitor for Suspicious Browser-Derived Activity
Even with patching underway, monitor endpoints for anomalous behaviours indicating exploitation attempts. Watch for unexpected child processes spawned by Chrome, unusual network beacons shortly after browsing events, abnormal crash patterns in Chrome renderer processes, or signs of lateral movement originating from endpoints with active browser sessions.
Audit Chromium-Based Browser Inventory
V8 is shared across all Chromium-based browsers — Microsoft Edge, Brave, Opera, and Vivaldi. Ensure all Chromium-derivative browsers in the environment are updated to versions incorporating the V8 fix. Maintain an accurate inventory of all browser types and versions deployed across the organisation, treating each as a patching obligation equal to Chrome itself.
Section 04
CVE-2026-11645 requires only that a victim visits a malicious or attacker-controlled web page. The out-of-bounds V8 flaw is triggered silently during JavaScript execution, with no further user interaction needed — the defining characteristic of a drive-by compromise attack.CVE-2026-11645 in the wild indicates that threat actors — nation-state or criminal — acquired and weaponised this V8 vulnerability prior to public disclosure, consistent with the systematic identification and operationalisation of browser engine vulnerabilities for use in targeted or broad campaigns.Section 05
