Executive Summary
Google released Chrome desktop builds 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux on 2026-06-08. The release fixed CVE-2026-11645, a high-severity out-of-bounds memory-access vulnerability in V8, and Google stated that an exploit exists in the wild Google Chrome Releases opens in a new tab.
CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-09 with a federal remediation due date of 2026-06-23 CISA alert opens in a new tab. NVD describes the issue as an out-of-bounds read and write that can allow a remote attacker to execute arbitrary code inside the browser sandbox through crafted HTML NVD opens in a new tab. Public sources reviewed through 2026-06-10 do not establish a sandbox escape, exploit chain, campaign, or public indicators beyond vulnerable browser versions.