5th Chrome Zero-Day of 2026: V8 Engine Bug Exploited in the Wild
CVE-2026-11645 is the fifth Chrome zero-day exploited in 2026, an out-of-bounds read/write in the V8 JavaScript/WebAssembly engine. CVSS 8.8. Patch is in Chrome 149. The pace of Chrome zero-days is accelerating.
Google patched CVE-2026-11645 on June 9, the fifth Chrome zero-day actively exploited in the first six months of 2026. The vulnerability is in V8's JavaScript/WebAssembly engine, allowing arbitrary code execution inside the browser sandbox via a crafted HTML page.
The vulnerability
- Type: Out-of-bounds read/write in V8
- CVSS: 8.8 (High)
- Attack vector: Malicious web page, single click
- Bounty: $55,000 paid to the reporting researcher
- Fixed in: Chrome 149.0.7827.102 (Windows), 149.0.7827.103 (macOS)
The accelerating pace
Chrome zero-days are being discovered and exploited at an accelerating rate:
| Year | Zero-Days Patched |
|---|---|
| 2023 | 8 (full year) |
| 2024 | 9 (full year) |
| 2025 | 12 (full year) |
| 2026 | 5 (first 6 months) |
At current pace, 2026 is on track to exceed 2025's record.
Why V8 is the favorite target
Browser zero-days concentrate in JavaScript engines because:
- Cross-platform, the same exploit often works on Windows, Mac, Linux
- Single click, no user interaction beyond visiting a page
- High value, browser exploits can chain with OS-level exploits for full system compromise
- Complex attack surface, JIT compilers, garbage collectors, and optimization passes offer many avenues for exploitation
What to do
- Update Chrome,
chrome://settings/help, restart after updating - Check Electron apps,
process.versions.chromein DevTools to verify the bundled Chromium version - Check your CI browsers, headless Chrome in CI should be pinned to a specific version that auto-updates or is regularly bumped
The bottom line
The fifth Chrome zero-day in six months isn't a fluke, it's a pattern. JavaScript engines are complex software running untrusted code by design, and attackers are investing heavily in V8 exploit development. Update Chrome today. Check your Electron apps. Treat browser updates as security patches, not feature releases.