Five actively exploited Chrome zero-days have now been patched by Google since the start of the year, after the company shipped an emergency fix for a new flaw already used in attacks.
Google released the update for the Stable Desktop channel after confirming exploitation of CVE-2026-11645, according to BleepingComputer. The patched Chrome versions are rolling out worldwide for Windows 149.0.7827.102, Mac 149.0.7827.103, and Linux 149.0.7827.102.
“Google is aware that an exploit for CVE-2026-11645 exists in the wild,” the company said in its Monday security advisory.
The flaw was reported to Google by an anonymous security researcher two weeks before the fix landed. Google has not disclosed who is exploiting it, who was targeted, or how broad the attacks are.
Google rushes emergency Chrome fix after active zero-day attacks
CVE-2026-11645 is rated high severity and sits in V8, Chrome’s JavaScript engine. That placement matters. V8 processes the code behind modern web pages, which makes browser memory bugs attractive to attackers who can lure a target to a crafted page.
BleepingComputer reports that the flaw stems from an out-of-bounds read and write weakness. Remote attackers can exploit it through crafted HTML pages to execute arbitrary code inside Chrome’s sandbox.
Successful exploitation can allow access to data beyond the intended memory buffer through heap corruption. It can also trigger crashes or expose sensitive information. The flaw may also help bypass protections such as ASLR, making follow-on code execution easier when chained with another weakness.
Google said the update may take days or weeks to reach all users. BleepingComputer said the update was available immediately when it checked earlier today.
Users who don’t manually update can rely on Chrome’s automatic update process, but there’s a catch: the browser typically needs to relaunch before the patched version is actually running.
Five Chrome zero-days in 2026 puts browser patching under pressure
This is not an isolated patch cycle. Google has now addressed five Chrome zero-days exploited in attacks since the start of the year, based on the disclosed list in the source material.
| CVE | Component | Issue described in source | Patched |
|---|---|---|---|
| CVE-2026-2441 | CSSFontFeatureValuesMap | Iterator invalidation bug | Mid-February |
| CVE-2026-3909 | Skia | Out-of-bounds write weakness | March |
| CVE-2026-3910 | V8 JavaScript and WebAssembly engine | Inappropriate implementation vulnerability | March |
| CVE-2026-5281 | Dawn | Use-after-free weakness | April |
| CVE-2026-11645 | V8 JavaScript engine | Out-of-bounds read and write weakness | June |
The pattern is the point. Chrome sits in front of work apps, email, banking, cloud consoles, internal dashboards, and identity sessions. A browser exploit that starts inside the sandbox may still be valuable if attackers can steal browser data, crash processes, or pair it with another flaw.
XOOMAR analysis: The fifth exploited Chrome zero-day of the year should push security teams to treat browser updates less like routine maintenance and more like exposed perimeter response. The source material does not prove these flaws belong to one campaign. It does show a steady cadence of real-world exploitation against core browser components.
Google is withholding deeper bug details for now, which is standard when exploit code is active and many users may still be unpatched.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.”
That leaves defenders with limited intelligence in the first hours of the patch window. The practical response is blunt: push the update, confirm install, and verify restart.
Chrome users should update now and confirm the patched version installed
Chrome users should open the browser’s settings menu and check the current version, or restart Chrome if an update has already downloaded. The protected versions listed by Google are:
- Windows: 149.0.7827.102
- Mac: 149.0.7827.103
- Linux: 149.0.7827.102
For companies, the job doesn’t end with “auto-update is enabled.” Managed browser policies, version pinning, staged rollouts, and delayed restarts can leave fleets exposed even after a vendor patch ships.
Operational priority: IT teams should verify the installed Chrome version across endpoints, not just the availability of the update. If endpoint tools show Chrome still below the fixed release, the device remains in the risk window.
Until the patched version is installed and Chrome has relaunched, users should be more cautious with suspicious links, unexpected downloads, and untrusted sites, especially on devices used for work accounts or financial services.
Google may publish more technical detail after enough users are updated. For now, the signal is already clear: an exploit exists in the wild, the patched builds are available, and the next meaningful metric is how fast users and enterprises actually move to the fixed versions.
Related XOOMAR technology coverage: AI Siri Lands on Apple Watch and Locks Out Series 9.
Key Takeaways
- Chrome users should update promptly because CVE-2026-11645 is already being exploited in real-world attacks.
- The flaw affects V8, a core browser engine component that attackers can target through crafted web pages.
- This is the fifth actively exploited Chrome zero-day Google has patched since the start of the year.
Originally published on XOOMAR. For more news and analysis, visit XOOMAR.
Top comments (0)