CVE-2026-11645
published 2026-06-09CVE-2026-11645: Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-23
Exploited in the wild
EPSS
5.47%
90.4th percentile
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | < 149.0.7827.103 | 149.0.7827.103 | |
| chrome | >= 149.0.7827.103 < 149.0.7827.103 | 149.0.7827.103 | |
| chrome_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is actively exploited in the wild via crafted HTML pages targeting Chrome's V8 JavaScript/WebAssembly engine; any Chrome version prior to 149.0.7827.103 (Windows/macOS) or 149.0.7827.102 (Linux) is vulnerable ↗
- →Exploitation vector is a crafted HTML page delivered remotely; monitor for suspicious HTML/JS content triggering V8 out-of-bounds memory access patterns ↗
- →Chromium issue tracker ID 506689381 is the upstream bug reference; use this to correlate patch commits and PoC activity in public repositories ↗
- →Scope extends beyond Chrome — Microsoft Edge, Brave, Opera, Vivaldi and other Chromium-based browsers are also affected; ensure detection/patching coverage includes all Chromium-based browser processes ↗
- →CISA KEV remediation deadline is 2026-06-23; prioritise patching for Federal Civilian Executive Branch (FCEB) environments and treat any unpatched Chrome/Chromium instance as actively at risk ↗
- ·The fix version differs by OS: 149.0.7827.102/.103 for Windows and macOS, 149.0.7827.102 for Linux — version-based detection rules must account for this split ↗
- ·Red Hat rates severity as determined by Google's Chrome Security Advisory; downstream Chromium packages (e.g., chromium-browser RPM) are separately tracked and may lag behind upstream patch availability ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
VulDB
Google Chrome up to 149.0.7827.53 V8 out-of-bounds write (ID 506689)
vuldb·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google Chrome up to 149.0.7827.53 V8 out-of-bounds write (ID 506689)
A vulnerability was found in Google Chrome. It has been rated as critical. This affects an unknown part of the component V8. Performing a manipulation results in out-of-bounds write.
This vulnerability is reported as CVE-2026-11645. The attack is possible to be carried out remotely. Moreover, an exploit is present.
Upgrading the affected component is advised.
GHSA
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
ghsa_unreviewed·2026-06-09
CVE-2026-11645 [HIGH] CWE-125 Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
vulncheck·2026·CVSS 8.8
CVE-2026-11645 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/e
CISA
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
cisa·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Vulnerability: Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Affected: Google Chromium V8
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html ; https://issues.chromium.org/issues/506689381 ; https://nvd.nist.gov/vuln/detail/CVE-2026
Chrome
Stable Channel Update for Desktop: CVE-2026-11700
vendor_chrome·2026-06-08
CVE-2026-11700 [MEDIUM] Stable Channel Update for Desktop: CVE-2026-11700
Stable Channel Update for Desktop
CVE-2026-11700: Use after free in Tracing. Reported by Google on 2026-05-10 [N/A][ 516413817 ] Medium CVE-2026-11701: Insufficient validation of untrusted input in Guest View
Reported by Google on 2026-05-25 Google is aware that an exploit for CVE-2026-11645 exists in the wild
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2026-11643
vendor_chrome·2026-06-08·CVSS 8.1
CVE-2026-11643 [CRITICAL] Stable Channel Update for Desktop: CVE-2026-11643
Stable Channel Update for Desktop
CVE-2026-11643: Use after free in Proxy. Reported by Google on 2026-05-29 [N/A][ 518043597 ] Critical CVE-2026-11644: Use after free in Views
Reported by Google on 2026-05-30 [$55000][ 506689381 ] High CVE-2026-11645: Out of bounds memory access in V8
Severity: critical
Red Hat
chromium-browser: Out of bounds memory access in V8
vendor_redhat·2026-06-08·CVSS 8.8
CVE-2026-11645 [HIGH] CWE-125 chromium-browser: Out of bounds memory access in V8
chromium-browser: Out of bounds memory access in V8
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
An out of bounds memory access flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=506689381
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
blogs_hackernews·2026-06-10·CVSS 8.8
CVE-2026-20245 [HIGH] CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
CVE-2026-11645 (CVSS score: 8.8)
Bleepingcomputer
Google patches new Chrome zero-day flaw exploited in the wild
blogs_bleepingcomputer·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google patches new Chrome zero-day flaw exploited in the wild
## Google patches new Chrome zero-day flaw exploited in the wild
## Sergiu Gatlan
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing s
Hackernews
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
blogs_hackernews·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Datab
Bugzilla
CVE-2026-11645 chromium-browser: Out of bounds memory access in V8
bugzilla·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] CVE-2026-11645 chromium-browser: Out of bounds memory access in V8
CVE-2026-11645 chromium-browser: Out of bounds memory access in V8
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
2026-06-09
Published
2026-06-09
Added to CISA KEV
Exploited in the wild