Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine

Suspected
Discovered Jun 9, 2026

Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

Google released Chrome desktop builds 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux on 2026-06-08. The release fixed CVE-2026-11645, a high-severity out-of-bounds memory-access vulnerability in V8, and Google stated that an exploit exists in the wild Google Chrome Releases opens in a new tab.

CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-09 with a federal remediation due date of 2026-06-23 CISA alert opens in a new tab. NVD describes the issue as an out-of-bounds read and write that can allow a remote attacker to execute arbitrary code inside the browser sandbox through crafted HTML NVD opens in a new tab. Public sources reviewed through 2026-06-10 do not establish a sandbox escape, exploit chain, campaign, or public indicators beyond vulnerable browser versions.

Key Facts

Cve: CVE-2026-11645

Vendor: Google

Affected Component: Chromium V8

Vulnerability: Out-of-bounds read and write

Weaknesses:

  • CWE-125
  • CWE-787

Reported To Google: 2026-04-27

Vendor Release Date: 2026-06-08

Kev Added: 2026-06-09

Kev Due Date: 2026-06-23

Fixed Desktop Builds:

  • 149.0.7827.102/.103 for Windows and macOS
  • 149.0.7827.102 for Linux

Nvd Affected Boundary: Google Chrome prior to 149.0.7827.103

Cvss V3 1: 8.8 HIGH

Cvss Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Known Ransomware Use: Unknown

Last Verified: 2026-06-10

Evidence Assessment

  • confirmed: Google lists CVE-2026-11645 as a high-severity V8 out-of-bounds memory-access flaw, credits reporter 303f06e3, records a $55,000 reward, and states that an exploit exists in the wild Google Chrome Releases opens in a new tab.
  • confirmed: CISA added the flaw to KEV on 2026-06-09 and requires federal agencies to apply vendor mitigations by 2026-06-23 CISA KEV opens in a new tab.
  • confirmed: NVD records code execution inside a sandbox through crafted HTML, user interaction required, and CWE-125/CWE-787 mappings NVD opens in a new tab.
  • unclear: Google has not publicly described the exploited technique, target population, delivery infrastructure, or whether CVE-2026-11645 was chained with a sandbox escape.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decisionClosure condition
Confirmed compromiseBrowser or endpoint telemetry ties exploitation behavior to CVE-2026-11645 or to a vendor-confirmed exploit sample.Preserved browser process tree, crash artifacts, browsing history, EDR telemetry, and vendor confirmation.Isolate the endpoint and preserve browser and endpoint evidence.The endpoint is rebuilt or forensically cleared and the exploited entry point is documented.
Presumed exposedChrome or another Chromium-derived browser used a vulnerable V8 build and loaded untrusted web content before patching.Browser version history, software inventory, update logs, and proxy or browser history.Patch immediately and prioritize endpoint review where suspicious browser behavior exists.A fixed build is installed and available telemetry has been reviewed.
Potentially exposedA Chromium-derived browser is present, but the embedded Chromium/V8 version or update state is not known.Product-specific version inventory and vendor release mapping.Obtain the downstream vendor's fixed-version guidance; do not assume Chrome version numbers apply directly.Every installed Chromium-derived product is mapped to a fixed or vulnerable build.
Not exposedThe browser was already on a vendor-confirmed fixed build before relevant browsing activity, or the product does not embed affected Chromium/V8 code.Version and update timestamps plus vendor applicability data.Retain the inventory result.Evidence identifies the installed build and its patch status.
UnknownBrowser inventory, update timestamps, or endpoint telemetry is unavailable.A gap statement naming missing assets and time ranges.Treat patch status as unknown and force an update.Inventory coverage is restored or risk acceptance is recorded.

What Happened

CVE-2026-11645 is an out-of-bounds memory-access vulnerability in V8. A remote attacker can trigger the flaw by getting a user to load crafted HTML. The public Chrome and NVD descriptions support arbitrary code execution inside the browser sandbox; they do not support claims that the vulnerability independently escapes that sandbox or spawns operating-system commands Google Chrome Releases opens in a new tab NVD opens in a new tab.

Technical Analysis

Google is withholding detailed bug information while users update. The restricted Chromium issue is 506689381. Public evidence does not identify the exact V8 subsystem, optimization phase, object type, exploit primitive, or exploit-chain partner. Defenders should therefore hunt on patch state and abnormal browser behavior rather than unsupported assumptions about TurboFan, array indexing, ASLR bypass, or a specific payload. [1]

Affected Assets and Blast Radius

Affected Assets:

  • Google Chrome desktop installations below the vendor-fixed builds
  • Chromium-derived browsers whose vendors confirm use of the affected V8 code

Highest Priority:

  • Browsers used for privileged administration
  • Internet-facing kiosks and shared workstations
  • Unmanaged endpoints with delayed browser updates

Not Established:

  • A public sandbox-escape chain
  • A named exploitation campaign
  • Incident-specific domains, IP addresses, URLs, or file hashes

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Sources

  1. Google Chrome Releases: Stable Channel Update for Desktop, June 8, 2026 opens in a new tab - Role: DIRECT_SOURCE - Impact: Fixed desktop builds, severity, reporter, reward, and in-the-wild exploitation statement.
  2. CISA: Adds Three Known Exploited Vulnerabilities to Catalog opens in a new tab - Role: DIRECT_SOURCE - Impact: KEV addition date and remediation direction.
  3. CISA: Known Exploited Vulnerabilities entry for CVE-2026-11645 opens in a new tab - Role: DIRECT_SOURCE - Impact: Due date, affected-product description, and ransomware-use status.
  4. NIST NVD: CVE-2026-11645 opens in a new tab - Role: ENRICHMENT_DATA - Impact: Published description, CVSS vector, weakness mappings, and affected boundary.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 9, 2026DiscoveryDiscovery recorded for Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine.cisa.gov
Jun 9, 2026DisclosureDisclosure recorded for Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine.cisa.gov
Jun 9, 2026First seenFirst seen recorded for Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine.cisa.gov
Jun 9, 2026Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript EngineUnknowncisa.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabcisa.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-google-chromium-v8-cve-2026-11645-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%2Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.
chromereleases.googleblog.comSecurity Researcher95%1Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.
nvd.nist.govSecurity Researcher95%1Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.