Skip to content
hacker_posts

Chrome ships fix for V8 zero-day CVE-2026-11645, CISA adds to KEV

Google's June 8 Stable Channel pushes 149.0.7827.102/.103 for an actively exploited V8 out-of-bounds read/write. CISA added the CVE to KEV the next day.

Published 4 min read
cvegooglechromezero-daykev

Google's June 8, 2026 Stable Channel update for Chrome desktop ships fixes for CVE-2026-11645 — an out-of-bounds read and write in V8, the JavaScript and WebAssembly engine — and Google states an exploit "exists in the wild." CVSS v3.1 is 8.8 (High). CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 9, 2026 in a three-CVE batch, which makes the patch a June 30 federal binding directive deadline under BOD 22-01. The fix lands in Stable 149.0.7827.102 (Linux) and 149.0.7827.102/.103 (Windows, macOS). The primary advisory is Google's Chrome releases blog entry for the Stable Channel update for Desktop.

What's affected

  • Google Chrome Stable Channel prior to 149.0.7827.103 on Windows and macOS, and prior to 149.0.7827.102 on Linux.
  • All Chromium-derived browsers that pull from the same V8 train: Microsoft Edge, Brave, Opera, Vivaldi, Arc, and embedded Chromium runtimes (Electron, CEF). Each vendor ships its own patched build on its own clock; the V8 source fix is the upstream pivot.
  • Mobile Chrome rolls separately — confirm the version string against the Play Store / App Store entry once your MDM picks up the update.

The bug class is CWE-787 / CWE-125 (out-of-bounds write / read) inside V8's runtime. Reachability is the standard browser-side surface: a victim visits a page hosting attacker-controlled JavaScript and the bug fires inside the V8 sandbox. Code execution per Google's wording is "inside the sandbox" — exploitation typically pairs the bug with a sandbox escape for full RCE on the host, but even sandboxed execution is enough for credential theft, session-cookie exfiltration, and any same-origin damage the loaded page can reach.

Exploitation status

Google credits researcher 303f06e3 for the report on April 27, 2026 under a $55,000 bug bounty. The advisory does not attribute the in-the-wild exploit to a named actor and does not invoke Google's Threat Analysis Group (TAG) tag — the pattern Google uses when TAG attributes activity to a commercial spyware vendor or a state-aligned operator. Treat the absence of TAG framing as data: this looks like a researcher-found bug that turned up in active exploitation independently, not a Project Zero / TAG-cluster surfaced one. Cross-source reporting at Help Net Security, The Hacker News and The Register repeats Google's framing without independent attribution.

Per Google's standard restraint on shipped zero-days, technical details on the exploit chain are withheld until "a majority of users are updated." Expect public PoCs once patched-version rollout crosses ~80%.

Action checklist

  1. Force-restart Chrome on every managed endpoint. The browser does not apply the fix until the next process restart — that is the gating step, not the silent download. Push a policy nudge or a managed restart, do not rely on user-initiated "Relaunch."
  2. Verify the version string in chrome://settings/help reads 149.0.7827.102 or higher on Linux, 149.0.7827.103 or higher on Windows / macOS. Anything older is unpatched regardless of "up to date" UI lies during a deferred update.
  3. Roll the patched build to every Chromium derivative. Edge tracks its own Security Update Guide entry; Brave, Opera, Vivaldi each ship their own. Electron apps in your estate (Slack, Discord, VS Code, 1Password, Signal Desktop) are downstream of V8 too — pin your inventory to the post-149-train Electron releases as they land.
  4. For federal civilian agencies, BOD 22-01 puts the KEV deadline at June 30, 2026. Document compliance in CSAM.
  5. Hunt for browser-borne compromise on high-value users. Pull EDR telemetry for chrome.exe / msedge.exe spawning unexpected child processes (PowerShell, mshta, rundll32), unusual outbound on the renderer process, and credential-store / cookie-jar reads between April 27 (earliest possible disclosure-window exploitation) and your patch date.
  6. Run the V8 patched-version Shodan query against any internet-reachable kiosk, signage, or self-checkout endpoints in your estate that report a Chromium UA string — those rarely sit inside MDM:
http.html:"Google Chrome" -http.html:"149.0.7827.10"

Context

This is the fifth Chrome zero-day exploited in 2026. The preceding four were CVE-2026-2441, CVE-2026-3909, CVE-2026-3910 and CVE-2026-5281 — three of those four also in V8. The pattern is uncomfortable but consistent: Chrome's V8 JIT compiler and its TurboFan / Maglev pipelines remain the single most productive target surface in the browser. The 2024–2025 trend of Type Confusion in V8 repeats here as out-of-bounds memory access; whether it is a JIT speculation bug or a sandbox-internal heap bug, V8 is where the chain starts.

For defenders the operational takeaway is the same as Q1 — Chrome zero-day SLO is 24 hours from CISA KEV add, not the federal 21 days. Five exploited zero-days in five and a half months means the next one is likely already being weaponised against unpatched estates; the only meaningful delta between "we are exposed" and "we are not" is restart cadence.

Related stories