CVE-2026-11645: Chrome V8 Out-of-Bounds Read/Write Enables Remote Code Execution
CVE-2026-11645 is a high-severity out-of-bounds read/write flaw in Chrome's V8 engine (CVSS 8.8) actively exploited in the wild. Federal agencies must patch by 2026-06-23.
TL;DR
- CVE-2026-11645 is an out-of-bounds read and write vulnerability in the V8 JavaScript engine inside Google Chrome, rated CVSS 8.8 (High).
- A remote attacker can exploit it by serving a crafted HTML page, leading to arbitrary code execution inside the Chrome sandbox.
- All Google Chrome versions prior to the fixed release listed in the official stable channel advisory are affected.
- Active exploitation is confirmed - CISA has added this to the Known Exploited Vulnerabilities catalog, with federal remediation due 2026-06-23.
- Immediate action: update Chrome to the vendor-patched version and restart the browser; no reliable workaround exists.
What is CVE-2026-11645?
CVE-2026-11645 is a memory-corruption flaw in V8, the JavaScript and WebAssembly engine that powers Google Chrome. Specifically, V8 performs out-of-bounds reads and writes when processing specially constructed JavaScript within a malicious HTML page, allowing an attacker to corrupt heap memory in ways that ultimately hand over code execution - all without requiring any attacker privileges.
Out-of-bounds memory access flaws in JavaScript engines are among the most dangerous classes of browser bugs. V8 processes untrusted JavaScript at enormous speed, and when its internal bounds checks fail, an attacker can manipulate object pointers, type information, or JIT-compiled code regions. The result in this case is confirmed arbitrary code execution inside the Chrome sandbox, which still represents a serious breach of the browser's security model.
Who is affected?
- Google Chrome on all desktop platforms (Windows, macOS, Linux) prior to the patched version specified in the vendor advisory
- Any user or organization that browses with an unpatched Chrome installation
- Enterprise environments where Chrome auto-update is disabled or delayed via policy
- Chromium-based browsers that derive from the same V8 codebase (check each vendor's own advisory for confirmation)
How severe is it?
The CVSS 3.1 base score is 8.8, carrying a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Breaking that down:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTP/HTTPS |
| Attack Complexity | Low | No special conditions or race conditions required |
| Privileges Required | None | Attacker needs no account or prior access |
| User Interaction | Required | Victim must open a malicious page |
| Scope | Unchanged | Exploitation contained to the browser process |
| Confidentiality / Integrity / Availability | High / High / High | Full compromise of the browser process |
The Low Attack Complexity rating is particularly significant. It means the exploit does not depend on timing windows or environment-specific conditions, lowering the bar for threat actors considerably. While execution is sandboxed, a successful hit gives the attacker full read and write capability within the Chrome renderer process - enough to exfiltrate session tokens, cookies, and locally accessible data, or to chain with a secondary privilege-escalation bug.
Is it being exploited?
Yes - actively. CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on or around the publication date of 2026-06-08, setting a binding operational directive deadline of 2026-06-23 for federal civilian executive branch agencies. This confirms real-world exploitation, not merely theoretical risk. Organizations outside the federal government should treat the CISA KEV deadline as a strong signal and prioritize patching on the same timeline.
How to fix and mitigate it
- Update Google Chrome immediately. Apply the version specified in the stable channel update advisory. Do not rely on a version number from a third-party source - consult the official advisory for the exact patched build.
- Restart the browser fully after the update downloads. The patch is not active until Chrome relaunches.
- Verify the installed version by navigating to:
Confirm the displayed version matches or exceeds the patched build in the advisory.chrome://settings/help - Enable automatic updates in enterprise environments via your MDM or group policy if they are currently throttled or disabled.
- Block or restrict access to unknown or untrusted external websites on high-risk endpoints as a short-term control until patching is complete - this does not eliminate risk but reduces the attack surface.
- Audit Chromium-based browsers (Edge, Brave, Opera, etc.) separately and apply their vendor-specific patches as they become available.
- Disable JavaScript in Chrome only as a last resort in locked-down kiosk or specialized environments; this will break the vast majority of web functionality and is not viable for general-purpose use.
How to detect exposure
Check the Chrome version on endpoints:
# Linux
google-chrome --version
# macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --version
# Windows (PowerShell)
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.FileVersion
Any version string lower than the fixed build in the official advisory indicates an exposed host.
Enterprise-wide inventory: Use your endpoint management platform (Intune, JAMF, Ansible, or similar) to query the installed Chrome version across the fleet and filter for unpatched hosts.
EDR and proxy telemetry: Look for Chrome renderer processes spawning unexpected child processes or making outbound connections to unfamiliar endpoints shortly after a user loads an external page - a potential indicator of post-exploitation activity.
Log review: If your proxy logs HTTP requests, filter for visits to newly registered domains or domains with low reputation scores within the window when the vulnerability was publicly known but unpatched on your estate.
Frequently asked questions
Do I need to restart Chrome after applying the update?
Yes. Chrome downloads the update automatically in the background, but the fix only takes effect after a full browser restart. Confirm the patch is active by navigating to chrome://settings/help and verifying the version shown matches or exceeds the fixed release noted in the vendor advisory.
Does Chrome's sandbox fully block the attack?
No. The CVE description explicitly states the arbitrary code executes inside the sandbox, meaning the sandbox is not a reliable mitigation on its own. A secondary sandbox-escape vulnerability could chain with this flaw to gain broader system access, which is why patching promptly is the only reliable control.
Are Chromium-based browsers like Edge or Brave also affected?
The official record lists Google Chrome as the affected product. However, because Microsoft Edge, Brave, Opera, and other Chromium-derived browsers share the V8 engine codebase, they may carry the same flaw. Check each vendor's security advisory and apply their respective updates independently.
Is this vulnerability exploitable without user interaction?
User interaction is required - the CVSS vector records UI:R, meaning a victim must visit or load a crafted HTML page. No privileges are required from the attacker's side (PR:N), and exploitation is possible over the network (AV:N), making phishing and malvertising realistic delivery vectors.
