Chrome Zero-Day: Update Before Your Browser Gets Ideas
Google released Chrome security updates fixing 74 vulnerabilities, including CVE-2026-11645, a high-severity V8 zero-day exploited in the wild. The issue is an out-of-bounds memory access flaw in Chrome’s JavaScript and WebAssembly engine that could allow remote code execution inside the browser sandbox via a crafted HTML page. Google confirmed exploitation but withheld details to allow users time to patch. Chrome users should update to version 149.0.7827.102/.103 on Windows/macOS and 149.0.7827.102 on Linux.
Google Chrome has received another emergency patch, this time for a V8 zero-day already being exploited in the wild.
The vulnerability, CVE-2026-11645, affects V8, Chrome’s JavaScript and WebAssembly engine. That is the bit responsible for running a large chunk of the modern web, including the useful bits, the annoying bits and, occasionally, the “oh no, why is my browser doing that?” bits.
The flaw is an out-of-bounds memory access issue. In practical terms, a malicious website could potentially use a crafted HTML page to execute code inside Chrome’s sandbox. Google has confirmed exploitation exists in the wild but has not released detailed technical information yet, which is sensible while users are still patching.
Chrome users should update immediately. Organisations should also remember that Chrome is not the only concern. Microsoft Edge, Brave, Opera, Vivaldi and other Chromium-based browsers may also need updates once fixes are released by their maintainers.
Browser zero-days are particularly awkward because employees do not need to download malware deliberately. Visiting the wrong site, clicking the wrong link or encountering a compromised advert may be enough to start trouble.
The practical fix is simple: update Chrome, relaunch it, and make sure endpoint management tools confirm the version has changed. “It updates automatically” is not a patch management strategy; it is a hopeful sentence.