Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine
CISA added Google Chromium V8 CVE-2026-11645 to its KEV catalog on 2026-06-09 due to active exploitation. This high-severity out-of-bounds read and write flaw in the V8 engine allows remote attackers to execute arbitrary code or cause browser crashes by luring users to crafted HTML pages.
On this page 0% read
Executive Summary
CISA added CVE-2026-11645 to the Known Exploited Vulnerabilities catalog on 2026-06-09, marking it as actively exploited CISA KEV. The affected software is Google Chromium V8, the JavaScript and WebAssembly engine used in Google Chrome and other Chromium-based browsers. The vulnerability is a high-severity out-of-bounds (OOB) read/write flaw that allows remote attackers to execute arbitrary code inside the browser’s sandbox or trigger system crashes when a user visits a malicious HTML page.
This is the fifth actively exploited Chrome zero-day identified in 2026. The vulnerability affects Google Chrome versions prior to 149.0.7827.102 (for Windows and Linux) and 149.0.7827.103 (for macOS and Windows). Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi also inherit exposure. Administrators and users are urged to apply browser updates immediately.
Key Facts
cve: "CVE-2026-11645"
vendor: "Google"
product: "Chromium V8 Engine"
vulnerability: "Out-of-bounds read and write in V8 JavaScript engine"
cwe: "CWE-125"
disclosed_date: "2026-06-09"
kev_added: "2026-06-09"
affected_versions: "Chrome < 149.0.7827.102 / 103"
fixed_versions:
- "149.0.7827.102 (Windows/Linux)"
- "149.0.7827.103 (macOS/Windows)"
high_value_evidence:
- "Chrome version query"
- "V8 engine version matching"Source Confidence & Evidence Mapping
- confirmed: CISA added CVE-2026-11645 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
- confirmed: Chrome release blogs record the V8 OOB read/write issue and specify the fixed builds for Windows, macOS, and Linux Google Chrome Releases.
- confirmed: NIST NVD lists the CVSS metrics and maps the vulnerability to Chromium V8 out-of-bounds processing.
Impact Determination
| Classification | Criteria | Required evidence | Handling decision |
|---|---|---|---|
| Confirmed compromise | Sandbox escape traces or arbitrary process execution under the user’s browser process space (e.g. unexpected spawning of cmd.exe or local shell commands triggered by browsing history). | System process spawning history, endpoint detection (EDR) alerts indicating suspicious child processes of browser executables. | Isolate the affected endpoint, perform full endpoint forensic capture, and rotate credentials used in the browser session. |
| Presumed exposed | The browser application is running a Chromium-based build below version 149.0.7827.102/103. | Software audit records showing outdated Google Chrome, Microsoft Edge, Brave, Vivaldi, or Opera installations. | Update all client workstations to patched versions immediately. |
| Potentially exposed | Workstation endpoints are unmanaged, or version auditing software reports incomplete details. | Missing software versions in corporate MDM / asset registers. | Trigger corporate-wide browser update checks. |
| Not exposed | Chromium browsers are verified as updated to or past version 149.0.7827.102/103. | MDM software version confirmation. | No immediate action required. |
| Unknown | Endpoint browser software registry data is missing or incomplete. | Log/telemetry gaps for remote client endpoints. | Assume exposure and prompt updates. |
Timeline
- 2026-06-09: Google releases Chrome updates to patch the zero-day vulnerability.
- 2026-06-09: CISA adds CVE-2026-11645 to the Known Exploited Vulnerabilities catalog.
- 2026-06-10: This threat post analysis is published.
Technical Analysis
The V8 engine handles JavaScript array indexing and array bounds checks during compilation and optimization (Turbofan). An out-of-bounds read/write flaw occurs when the compiler optimization steps incorrectly simplify boundary assertions, leading to memory access outside the allocated array buffer. An attacker can construct a specialized script targeting this optimization failure, allowing them to read and write memory values, bypass ASLR, and execute payload code within the browser sandbox.
Affected Assets and Blast Radius
asset_selectors:
- "chrome"
- "chromium"
highest_value_assets:
- "User workstations running unpatched Chromium-based browsers with high-value domain access"
credentials_and_data_at_risk:
- "Local session cookies and cached credentials"
- "Subprocess access to local system environment"Indicators And Detection Selectors
vulnerabilities: ["CVE-2026-11645"]
packages: ["google-chrome", "chromium"]
telemetry_selectors:
- "149.0.7827"
- "chrome"Detection and Hunting
Script: local repository and exported telemetry scope
#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path
ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-google-chromium-v8-cve-2026-11645-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"
PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
"www.cisa.gov",
"chromereleases.googleblog.com",
]
URLS = [
"https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"https://chromereleases.googleblog.com/",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]
# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.
OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"
# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
for val in group:
if val:
indicators.add(val)
with open(indicators_file, "w") as f:
for ind in sorted(indicators):
f.write(ind + "\n")
print(f"[+] Written unique selectors to {indicators_file}")
# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
dirs[:] = [d for d in dirs if d not in exclude_dirs]
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if matches:
(OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
print(f"[!] Found {len(matches)} matches in codebase!")
# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
log_matches = []
for root, _, filenames in os.walk(LOG_ROOT):
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
log_matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if log_matches:
(OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
print(f"[!] Found {len(log_matches)} matches in logs!")
if PACKAGES:
registry_dir = OUT / "registry"
registry_dir.mkdir(exist_ok=True)
print(f"[+] Wrote scope artifacts under {OUT}")Sources
- CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
- Google: Chrome Release Blog - Role: DIRECT_SOURCE - Impact: Vulnerability disclosure, affected versions, and patch releases.
- NIST NVD: CVE-2026-11645 - Role: ENRICHMENT_DATA - Impact: Severity and category metrics.