INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.

Chrome V8 Zero-Day Exploited in the Wild Patch

| 2026-06-09 11:58 MEDIUM HIGH
JSON
Executive Summary AI-generated
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Google Chrome's JavaScript and WebAssembly engine. This flaw allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. As is customary in these cases, Google acknowledged that an exploit for CVE-2026-11645 exists in the wild but stopped short of sharing additional specifics to ensure majority users are updated with a fix and prevent further exploitation. Users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux, or apply the security updates as and when they become available.
Technical Mitigations AI-generated
* Use a sandboxed environment: Ensure that your system is isolated from other applications and services to prevent attackers from executing arbitrary code inside the browser. * Keep Chrome up-to-date: Regularly update your Chrome browser to ensure you have the latest security patches, including fixes for CVE-2026-11645. * Avoid using outdated extensions or plugins: Refrain from installing or updating extensions or plugins that may be vulnerable to exploitation of this vulnerability.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-3909CVE-2026-3909 CVE-2026-2441CVE-2026-2441 CVE-2024-0519CVE-2024-0519 CVE-2026-5281CVE-2026-5281 CVE-2026-3910CVE-2026-3910 CVE-2026-11645CVE-2026-11645
Target & Sectors
Global Scope
Incident Timeline
‎2025/06/09
Threat actors exploited an eight zero-day vulnerability in Google's Chrome browser.
organisation Threat Analysis Group
Last year, Google fixed another eight zero-days exploited in the wild , many of them reported by the company's Threat Analysis Group (TAG), which is known for identifying and tracking zero-day exploits used in spyware attacks.
‎April 27
Google released a patch for the Chrome vulnerability exploited in the wild on April 27.
‎April 27, 2026
Google released a patch for the Chrome vulnerability exploited in the wild on April 27, 2026.
‎June 8
Google released a security bulletin on June 8, which included fixes for 17 critical vulnerabilities and 55 high-severity ones.
general_metric 17 critical vulnerabilities
The security bulletin , published on June 8, include fixes for 17 critical vulnerabilities, 55 high-severity ones and tow medium-severity ones.
general_metric 55 severity ones
The security bulletin , published on June 8, include fixes for 17 critical vulnerabilities, 55 high-severity ones and tow medium-severity ones.
‎Jun 09, 2026
Google released a patch for the Chrome vulnerability exploited in the wild on June 9, 2026.
‎2026/06/09
BleepingComputer discovered and released a patch for the Chrome vulnerability exploited in the wild.
organisation BleepingComputer
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
‎2026/06/09
Google released a patch for the Chrome vulnerability exploited in the wild, CVE-2026-11645.
infrastructure Windows
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
Chrome 149.0.7827.102/103 is up to date on Windows and Mac You can also find step-by-step instructions in our guide to  how to update Chrome on every operating system .
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
infrastructure Linux
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
infrastructure 149.0.7827
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
Chrome 149.0.7827.102/103 is up to date on Windows and Mac You can also find step-by-step instructions in our guide to  how to update Chrome on every operating system .
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
Google describes it as: “Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation Windows, Mac
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
organisation Google Chrome
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
Google describes it as: “Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
financial $55,000 Linux
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
They were awarded $55,000 for disclosing it to the Chrome security team .
organisation CVE-2026
When exploited, CVE-2026-11645 allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
As is customary in these cases, Google acknowledged that an "exploit for CVE-2026-11645 exists in the wild," but stopped short of sharing additional specifics to ensure that a majority of the users are updated with a fix and to prevent further exploitation.
"Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in a Monday security advisory .
organisation HTML
When exploited, CVE-2026-11645 allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
​This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Google describes it as: “Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation Chrome
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
They were awarded $55,000 for disclosing it to the Chrome security team .
organisation WebAssembly
The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine.
Two other Chrome zero-day bugs exploited in attacks in March: an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
organisation Windows/Mac
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
organisation Windows and Mac
Chrome 149.0.7827.102/103 is up to date on Windows and Mac You can also find step-by-step instructions in our guide to  how to update Chrome on every operating system .
infrastructure Macos
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
organisation Stable Desktop
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
organisation NIST
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation National Vulnerability Database
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation NVD
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
organisation Google
Google Releases Patch for Chrome Vulnerability Exploited in the Wild.
Google has  issued  updates for the Chrome browser, patching a number of high‑severity vulnerabilities.
 Ravie Lakshmanan  Jun 09, 2026 Vulnerability / Browser Security Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
Google has released emergency updates to patch another Chrome zero-day vulnerability that has been exploited in the wild, the fifth such flaw patched since the start of the year.
organisation Vulnerability / Browser Security
 Ravie Lakshmanan  Jun 09, 2026 Vulnerability / Browser Security Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild.
organisation Mijansk786 / Wachiwit / Shutterstock.com Read
Image credits: Mijansk786 / Wachiwit / Shutterstock.com Read now: Patch Responsibility Remains Up for Grabs as AI Unearths Decades of Flaws
organisation AI Unearths Decades of Flaws
Image credits: Mijansk786 / Wachiwit / Shutterstock.com Read now: Patch Responsibility Remains Up for Grabs as AI Unearths Decades of Flaws
organisation Malwarebytes Browser Guard
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically.
organisation Chrome’s V8
This means this flaw was found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.
organisation Chromium
This means this flaw was found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
And a use-after-free weakness in Dawn (CVE-2026-5281), the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, which Google patched in April .
organisation Microsoft Edge, Brave,
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
organisation WebGPU
And a use-after-free weakness in Dawn (CVE-2026-5281), the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, which Google patched in April .
organisation Skia 2D
Two other Chrome zero-day bugs exploited in attacks in March: an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
organisation PDF
The update also includes some new features, like the ability to sign PDF forms without using an extension.
organisation CSS
" Since the start of the year, Google addressed four more zero-days exploited in attacks: An iterator invalidation bug (CVE-2026-2441) in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), which Google addressed in mid-February .
organisation CVE-2024-0519
While Google said it was aware of CVE-2024-0519 zero-day exploits used in attacks, the company has not yet shared further details about these incidents.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
‎149.0.7827
Software Version
"Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," reads a description of the flaw in the NIST's National Vulnerability Database (NVD).
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
Chrome 149.0.7827.102/103 is up to date on Windows and Mac You can also find step-by-step instructions in our guide to  how to update Chrome on every operating system .
Google describes it as: “Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
Metrics
infrastructure
‎Windows
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
Chrome 149.0.7827.102/103 is up to date on Windows and Mac You can also find step-by-step instructions in our guide to  how to update Chrome on every operating system .
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
Metrics
infrastructure
‎Macos
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
Metrics
infrastructure
‎Linux
Affected Product
For optimal protection, users are advised to update their Chrome browser to versions 149.0.7827.102/.103 for Windows and Apple macOS, and 149.0.7827.102 for Linux.
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.
The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.
Metrics
financial
55,000
Linux
The security fixes will roll out “over the coming days/weeks” for Chrome users on Windows, Mac and Linux. $55,000 For Reporting CVE-2026-11645 to Google Among these, CVE-2026-11645 is an out of bounds read and write vulnerability affecting V8 in Google Chrome versions prior to 149.0.7827.103.
They were awarded $55,000 for disclosing it to the Chrome security team .
Intelligence Sources
BleepingComputer 2026-06-09
The Hacker News 2026-06-09
Malware Bytes 2026-06-09
Infosecurity-Magazine 2026-06-09
Malware Bytes 2026-06-09
Infosecurity-Magazine 2026-06-09
The Hacker News 2026-06-09