CVE-2026-11645: The Fifth Chrome Zero-Day Exploited in 2026 and What It Means

Patch Details and Timeline

The emergency patch was pushed through the Stable Desktop channel on June 8, 2026, as part of a broader release that corrects 74 security vulnerabilities in a single update . Google confirmed that an exploit for CVE-2026-11645 "exists in the wild," which makes this an urgent, must-apply update for anyone running Chrome on desktop .

The patched versions are:

• Windows and macOS: Chrome 149.0.7827.102 / 149.0.7827.103
• Linux: Chrome 149.0.7827.102

As is standard for Chrome Stable updates, the fix rolls out progressively over days and weeks, though users can manually trigger the update through Chrome menu > Help > About Google Chrome.

Bug Bounty and Disclosure

An anonymous security researcher operating under the handle "303f06e3" discovered and reported the vulnerability to Google on April 27, 2026 . Google issued a $55,000 bounty for the finding, consistent with the Chrome Vulnerability Rewards Program's reward tiers for high-impact V8 memory corruption bugs . While Google's official Chrome Releases blog post for this cycle includes the bounty amount in its summary, the company typically does not break down bounty figures for every individual vulnerability in its security advisories .

The Broader 2026 Chrome Zero-Day Picture

With CVE-2026-11645, Chrome has now seen five actively exploited zero-days patched in 2026 alone . The full list before June shows an accelerating tempo of in-the-wild browser exploits:

• CVE-2026-2441 (February 2026): A use-after-free flaw in Chrome's CSS processing that allowed remote code execution inside the sandbox via crafted HTML pages .
• CVE-2026-3909 (March 12, 2026): An out-of-bounds write vulnerability in Skia, the 2D graphics library that underpins Chrome's rendering pipeline .
• CVE-2026-3910 (March 12, 2026): An inappropriate implementation bug in V8 that allowed arbitrary code execution inside the browser sandbox, patched in the same release as CVE-2026-3909 .
• CVE-2026-5281 (April 1, 2026): A use-after-free bug in Dawn, Chrome's cross-platform WebGPU implementation, which CISA added to its Known Exploited Vulnerabilities catalog with a deadline for federal agencies to patch .
• CVE-2026-11645 (June 2026): The V8 out-of-bounds read/write zero-day patched in this emergency update .

All five vulnerabilities were confirmed as exploited in the wild before patches shipped — a pattern that puts 2026 on track to exceed Google's total Chrome zero-day count from previous years. Multiple sources covering the patching cycle note that each month's disclosure now frequently includes at least one actively exploited bug, placing sustained pressure on IT teams to shorten their patch cycles for browser software .

What Users Should Do Now

Chrome typically updates itself in the background, but the automatic rollout can take days to reach every user. For immediate protection, open Chrome, go to the three-dot menu in the top-right corner, select Help > About Google Chrome, and allow the browser to check for and apply any available update. The version number should read 149.0.7827.102 or higher on Windows and Linux, and 149.0.7827.103 or higher on macOS .

Organizations managing Chrome deployments should verify that all endpoints are receiving the latest stable release and consider accelerating deployment timelines for this out-of-band patch. The confirmed in-the-wild exploitation status means any system running an earlier version of Chrome remains exposed to active attack.