CVE-2026-11645

What is Google Chromium V8?

V8 is Google's open-source JavaScript and WebAssembly engine, embedded in Chrome, Chromium-based browsers (Edge, Opera, Brave), and Node.js. It compiles JavaScript to native machine code using a multi-tier JIT compiler pipeline — Ignition (bytecode interpreter), Sparkplug (baseline JIT), and TurboFan (optimizing JIT). Because V8 executes untrusted web content at near-native speed, vulnerabilities in its compilation and memory management are among the most exploited browser attack surfaces, regularly featuring in state-sponsored exploit chains targeting both consumer and enterprise environments.

Overview

CVE-2026-11645 is an out-of-bounds read and write in V8's TurboFan JIT compiler, exploitable via a crafted HTML page to achieve remote code execution within the Chrome renderer sandbox. Google confirmed active exploitation in the wild and shipped a fix in Chrome 149.0.7827.102/103 on June 8, 2026; CISA added the vulnerability to the KEV catalog the following day. This is the fifth Chrome zero-day exploited in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.

Affected Versions

Technical Details

The flaw resides in TurboFan's range analysis phase, which statically tracks minimum and maximum value bounds of loop induction variables and array index expressions to eliminate redundant bounds checks. A logic error in this analysis allows a crafted JavaScript program to cause TurboFan to emit native code that reads or writes outside the intended heap object boundaries (CWE-125: out-of-bounds read).

Exploitation requires a victim to visit a crafted page — no additional user interaction beyond navigation is needed once the browser JIT-compiles the target function. The exploit achieves in-sandbox RCE within the Chrome renderer process. Breaking out of the Chrome sandbox to compromise the underlying OS requires chaining with a separate sandbox escape, which was not publicly reported as part of this exploit. In-sandbox RCE still enables credential theft, cookie harvesting, cryptomining payload delivery, and drive-by malware staging within the browser context.

Attack characteristics:

• Attack vector: Network (victim visits attacker-controlled page)
• Authentication required: None
• User interaction: Visit to crafted HTML page
• Impact scope: In-sandbox RCE (renderer process only without a separate sandbox escape)

Discovery

Reported by an anonymous researcher using the handle 303f06e3 on April 27, 2026. Google awarded a $55,000 bug bounty. Chromium issue 506689381 remains access-restricted pending broad update rollout, consistent with Google's standard coordinated disclosure practice for actively exploited vulnerabilities.

Exploitation Context

Google confirmed in its release notes that "an exploit for CVE-2026-11645 exists in the wild" — standard language used when Google has confirmed active in-the-wild exploitation without attributing it to a specific threat actor. No public attribution to a named APT or criminal group has been made. The pattern of five Chrome zero-days within a single calendar year is consistent with targeted exploitation by well-resourced actors, though browser zero-days are also traded in commercial exploit markets and used by a wide range of threat actors.

Remediation

1. Update Chrome to 149.0.7827.102 or later: Chrome menu → Help → About Google Chrome. The browser checks for updates and restarts when ready.
2. Enterprise deployments: Push the update via Google Admin Console or Microsoft Intune and verify version compliance across the fleet before the June 23 CISA deadline.
3. Chromium-based browsers: Apply vendor updates as they become available — Edge, Opera, Brave, and others each ship their own patched builds incorporating the fixed V8 version.
4. Enable auto-update for Chrome organization-wide to reduce the window between zero-day disclosure and patch application on managed devices.
5. Defense-in-depth: Enforce Chrome's Site Isolation policy and consider browser isolation solutions for high-risk user populations (executives, IT admins) while patches propagate.