Google Patches Fifth Chrome Zero-Day Exploited in 2026 — V8 Out-of-Bounds Read/Write Enables Sandbox Code Execution (CVE-2026-11645)

Google has released emergency Chrome 149 updates to address 74 vulnerabilities, including CVE-2026-11645, a high-severity zero-day that has been actively exploited in the wild. This marks the fifth Chrome zero-day patched in 2026, continuing a pattern of sustained exploitation targeting the world's most widely deployed browser.

CVE-2026-11645 is an out-of-bounds read/write vulnerability in V8, Chrome's JavaScript and WebAssembly engine. A remote attacker can exploit the flaw via a specially crafted HTML page to execute arbitrary code inside the browser's sandbox. The underlying issue stems from heap corruption that allows unauthorized access to memory beyond intended buffer boundaries, which can expose sensitive information, trigger crashes, or bypass protection mechanisms like ASLR — making it easier to chain with a sandbox escape for full compromise.

Google has not disclosed technical details about the attacks exploiting CVE-2026-11645, but threat actors have likely chained it with a separate sandbox escape vulnerability to achieve code execution outside the browser's isolation boundary. The company is withholding additional information until a majority of users have updated.

An anonymous security researcher reported the vulnerability to Google in late April. Based on the Google-assigned identifier, the same researcher has previously reported other Chrome vulnerabilities. Google awarded $55,000 for the responsible disclosure.

Patched versions are now rolling out globally: Chrome 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac. While Google notes the update could take days or weeks to reach all users through automatic updates, manual updates are available immediately via Chrome's built-in update mechanism.

The four previous Chrome zero-days exploited in 2026 were CVE-2026-2441 (iterator invalidation in CSSFontFeatureValuesMap, patched February), CVE-2026-3909 (out-of-bounds write in Skia graphics library, patched March), CVE-2026-3910 (inappropriate implementation in V8, patched March), and CVE-2026-5281 (use-after-free in Dawn/WebGPU, patched April).

Google has also seen a significant surge in internally discovered Chrome vulnerabilities over recent months, with a majority of the 74 flaws patched in this release — most rated critical or high severity — found by Google itself. The surge is likely driven by AI-assisted vulnerability discovery, though Google has not disclosed which models or tools are being used. The company recently reduced base bug bounty payouts for Chrome vulnerabilities in response.

The Takeaway

Update Chrome immediately. The combination of confirmed exploitation, V8 heap corruption, and potential for sandbox escape chaining makes this a high-priority patch. Enterprise environments should push Chrome 149 through managed update policies without waiting for automatic rollout. Organizations using Chromium-based browsers including Microsoft Edge and Opera should monitor for corresponding patches from those vendors.