Google has released an urgent Chrome security update to address a newly discovered zero-day vulnerability, identified as CVE-2026-11645, which is already being actively exploited in real-world attacks. This marks the fifth Chrome zero-day vulnerability observed in active exploitation so far in 2026.
In its advisory, Google confirmed awareness of ongoing attacks leveraging this flaw, stating that an exploit for CVE-2026-11645 has been detected in the wild.
The vulnerability originates from an out-of-bounds memory access issue within Chrome’s V8 JavaScript engine. This type of flaw occurs when software attempts to read or write data outside the allocated memory boundaries, which can lead to unstable behavior and security risks. Depending on how it is exploited, such a vulnerability could result in application crashes (denial of service), privilege escalation, or potentially allow attackers to execute arbitrary code on affected systems.
As is standard practice in cases involving active exploitation, Google has withheld detailed technical information to prevent further abuse before users have had time to apply patches.
Since the beginning of 2026, Google has addressed multiple Chrome zero-day vulnerabilities that were exploited in the wild. These include a use-after-free issue in CSS reported in February (CVE-2026-2441), two critical flaws disclosed in March an out-of-bounds write in the Skia graphics library and a vulnerability affecting the V8 JavaScript and WebAssembly engine (CVE-2026-3909 and CVE-2026-3910, both with CVSS scores of 8.8) and a use-after-free vulnerability in the Dawn WebGPU component identified in April (CVE-2026-5281).
The addition of CVE-2026-11645 underscores the continued focus of attackers on browser engines, particularly components like V8, which handle complex web content processing and present a valuable target for exploitation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
