CVE-2026-11645: Out-of-Bounds Memory Access in Google Chrome V8 Engine
Vulnerability ID: CVE-2026-11645
CVSS Score: 8.8
Published: 2026-06-08
A high-severity memory corruption vulnerability exists in the V8 JavaScript engine of Google Chrome before versions 149.0.7827.102/103. The flaw arises from an incorrect bounds-check elimination during JIT compilation by the TurboFan optimizer, allowing remote attackers to achieve out-of-bounds read and write access inside the sandboxed renderer process.
TL;DR
An out-of-bounds read and write vulnerability in Google Chrome's V8 engine allows remote attackers to execute arbitrary code within the sandboxed renderer process via crafted JavaScript.
Technical Details
- CWE ID: CWE-125, CWE-787
- Attack Vector: Network (AV:N)
- CVSS Score: 8.8
- Exploit Status: Proof of Concept / Restricted
- CISA KEV Status: Not Listed
Affected Systems
- Google Chrome
- Microsoft Edge
- Any Chromium-based browser utilizing the V8 JavaScript engine
-
Google Chrome: < 149.0.7827.102 (Fixed in:
149.0.7827.102)
Mitigation Strategies
- Enforce browser auto-updates across the enterprise
- Deploy strict endpoint process monitoring
- Utilize Network Intrusion Detection Systems to monitor for known exploitation behavior
Remediation Steps:
- Verify Google Chrome version is 149.0.7827.103 or higher (Windows/macOS) or 149.0.7827.102 (Linux)
- Force browser restart to apply pending updates
- Implement endpoint detection rules to monitor Chrome subprocess behavior
Read the full report for CVE-2026-11645 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)