CVE-2026-11645

Published Jun 9, 2026

Last updated 11 hours ago

Exploit knownCVSS high 8.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-11645 is an out-of-bounds read and write vulnerability found in the V8 JavaScript engine of Google Chrome. This flaw allows a remote attacker to execute arbitrary code within the browser's sandbox by enticing a user to visit a specially crafted HTML page. The vulnerability affects Google Chrome versions prior to 149.0.7827.103, as well as other Chromium-based browsers that utilize the V8 engine. Google has confirmed that an exploit for CVE-2026-11645 exists and is being actively used in the wild.

Description
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Source
chrome-cve-admin@google.com
NVD status
Analyzed
Products
chrome

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Exploit added on
Jun 9, 2026
Exploit action due
Jun 23, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-125

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

9

  1. Chrome 5th zero-day of 2026 Google patched the 5th actively exploited Chrome zero-day of 2026. CVE-2026-11645 out-of-bounds read/write in the V8 engine, confirmed exploited in the wild. Fixed in 149.0.7827.102/.103 (Win/Mac/Linux). Google is withholding details until users

    @ElusivePrivacy

    9 Jun 2026

    71 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログにアリスタネットワークス社EOSのCVE-2026-7473、ChromiumのCVE-2026-11645、Cisco Catalyst SD-WAN ManagerのCVE-2026-20245を追加。対処期限

    @__kokumoto

    9 Jun 2026

    1438 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🛡️ We added Arista EOS vulnerability CVE-2026-7473, Google Chromium V8 vulnerability CVE-2026-11645, & Cisco Catalyst vulnerability CVE-2026-20245 to our KEV Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecur

    @CISACyber

    9 Jun 2026

    3190 Impressions

    9 Retweets

    24 Likes

    2 Bookmarks

    1 Reply

    1 Quote

  4. CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution https://t.co/strRb02BoZ CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution CVE-2026-11645 is a high-severity Google Chrome zero-day in the V8 JavaScript/WebAssembly engine caused

    @f1tym1

    9 Jun 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Google patches Chrome zero-day exploited in the wild (CVE-2026-11645): Google has fixed 74 vulnerabilities in Chrome, including (CVE-2026-11645), a high-severity zero-day that has been exploited in the wild. “Google is aware that an exploit for… https://t.co/DFze4cxmEn https:

    @shah_sheikh

    9 Jun 2026

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Google has released emergency Chrome updates to fix CVE-2026-11645, a zero-day in the V8 JavaScript engine that has been exploited in the wild. This is the fifth Chrome zero-day patched this year, following earlier fixes for flaws including CVE-2026-2441, CVE-2026-3909, https://t

    @BreachBrief

    9 Jun 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Google Chrome V8越界读写漏洞(CVE-2026-11645) #chrome #CVE-2026-11645 https://t.co/eSskoqxC80

    @JiaGao54899

    9 Jun 2026

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)CVE-2026-11701
  2. Use after free in Tracing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)CVE-2026-11700
  3. Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)CVE-2026-11699
  4. Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)CVE-2026-11698
  5. Insufficient validation of untrusted input in UI in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)CVE-2026-11697

References

Sources include official advisories and independent security research.