Google has released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year.
“Google is aware that an exploit for CVE-2026-11645 exists in the wild,” the company said in a Monday security advisory.
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability (CVE-2026-11645) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser’s sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing sensitive information or triggering a crash.
Besides unauthorized access to out-of-bounds memory, the now-patched zero-day bug could also be exploited to bypass protection mechanisms such as ASLR, making it easier to achieve code execution via another weakness.
While Google said it was aware of CVE-2024-0519 zero-day exploits used in attacks, the company has not yet shared further details about these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Since the start of the year, Google addressed four more zero-days exploited in attacks:
- An iterator invalidation bug (CVE-2026-2441) in CSSFontFeatureValuesMap (Chrome’s implementation of CSS font feature values), which Google addressed in mid-February.
- Two other Chrome zero-day bugs exploited in attacks in March: an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
- And a use-after-free weakness in Dawn (CVE-2026-5281), the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, which Google patched in April.
Last year, Google fixed another eight zero-days exploited in the wild, many of them reported by the company’s Threat Analysis Group (TAG), which is known for identifying and tracking zero-day exploits used in spyware attacks.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
