Google Issues Security Patch for Chrome V8 Zero-Day Vulnerability

Google has announced the release of security updates addressing 74 vulnerabilities in its Chrome web browser, including a significant zero-day flaw identified as CVE-2026-11645. This high-severity vulnerability, which has a Common Vulnerability Scoring System (CVSS) score of 8.8, results from an out-of-bounds memory access in V8, the JavaScript and WebAssembly engine utilised by Chrome.

According to details from the National Vulnerability Database (NVD), the flaw enables a remote attacker to execute arbitrary code within a sandboxed environment by presenting a specially crafted HTML page.

The vulnerability was discovered and reported by a security researcher known by the alias “303f06e3” on April 27, 2026. In recognition of the responsible disclosure, Google awarded the researcher a bug bounty of $55,000.

Acknowledging the seriousness of the situation, Google confirmed that an active exploit attempting to leverage CVE-2026-11645 has been identified in the wild. However, the company refrained from disclosing further specifics to protect users and encourage swift updates.

Prior to this update, Google had already addressed four other actively exploited zero-day vulnerabilities in Chrome since the beginning of the year: CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. To safeguard against potential attacks, users are urged to update their Chrome browser to versions 149.0.7827.102 or 149.0.7827.103 for both Windows and Apple macOS systems, and to version 149.0.7827.102 for Linux users.

To ensure that users have the latest updates, they can navigate to More > Help > About Google Chrome, and follow the prompts to relaunch the browser.

Furthermore, users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, should also apply the relevant updates as they become available to mitigate their exposure to this vulnerability.