Google has released security updates for Chrome to fix 74 vulnerabilities, including a high-severity zero-day tracked as CVE-2026-11645 that the company said is being exploited in the wild.
KEY FACTS
- Flaw CVE-2026-11645 is an out-of-bounds memory access issue in V8, Chrome’s JavaScript and WebAssembly engine.
- Severity The vulnerability has a CVSS score of 8.8.
- Impact It could let a remote attacker execute arbitrary code inside a sandbox through a crafted HTML page.
- Fix Google issued versions 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux.
The NIST National Vulnerability Database described the flaw as an out-of-bounds read and write in V8 in Google Chrome prior to version 149.0.7827.103. A security researcher using the name 303f06e3 reported the bug on April 27, 2026, and received a $55,000 bounty for the disclosure.
Google said an exploit for the issue exists in the wild, but did not provide further details. The company said it withheld more information to give users time to update and to limit further exploitation.
The advisory said this was the fifth actively exploited Chrome zero-day Google has fixed this year, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910 and CVE-2026-5281.
Users can check for updates through Chrome’s More, Help and About Google Chrome menu and relaunch the browser after installation. Users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera and Vivaldi, are also advised to install fixes when they become available.
WHY IT MATTERS
Active exploitation raises the risk of real-world attacks before many users update. Prompt patching reduces exposure for Chrome users and for people using other browsers built on Chromium, which often share the same underlying code.