← Back to all briefs
Security50s read

5th Chrome Zero-Day of 2026: V8 Engine Bug Exploited in the Wild

CVE-2026-11645 is the fifth Chrome zero-day exploited in 2026, an out-of-bounds read/write in the V8 JavaScript/WebAssembly engine. CVSS 8.8. Patch is in Chrome 149. The pace of Chrome zero-days is accelerating.

Google patched CVE-2026-11645 on June 9, the fifth Chrome zero-day actively exploited in the first six months of 2026. The vulnerability is in V8's JavaScript/WebAssembly engine, allowing arbitrary code execution inside the browser sandbox via a crafted HTML page.

The vulnerability

The accelerating pace

Chrome zero-days are being discovered and exploited at an accelerating rate:

Year Zero-Days Patched
2023 8 (full year)
2024 9 (full year)
2025 12 (full year)
2026 5 (first 6 months)

At current pace, 2026 is on track to exceed 2025's record.

Why V8 is the favorite target

Browser zero-days concentrate in JavaScript engines because:

What to do

  1. Update Chrome, chrome://settings/help, restart after updating
  2. Check Electron apps, process.versions.chrome in DevTools to verify the bundled Chromium version
  3. Check your CI browsers, headless Chrome in CI should be pinned to a specific version that auto-updates or is regularly bumped

The bottom line

The fifth Chrome zero-day in six months isn't a fluke, it's a pattern. JavaScript engines are complex software running untrusted code by design, and attackers are investing heavily in V8 exploit development. Update Chrome today. Check your Electron apps. Treat browser updates as security patches, not feature releases.