Google just released emergency security updates for Chrome. The reason? A Chrome zero-day exploit CVE-2026-11645 is already being used by attackers in the wild.
If you haven't updated your browser in the past few days, you're vulnerable. Here's what you need to know and exactly what to do about it.
What Is CVE-2026-11645?
The Chrome zero-day exploit CVE-2026-11645 resides in V8, Chrome's JavaScript and WebAssembly engine. Specifically, it's an out-of-bounds memory access flaw.
That technical description matters because out-of-bounds errors let attackers read or write data where they shouldn't.
In this case, a remote attacker can execute arbitrary code inside Chrome's sandbox using nothing more than a crafted HTML page.
The vulnerability carries a CVSS score of 8.8, high severity. And it's already being exploited.
Who Discovered the Vulnerability?
Researcher 303f06e3 has discovered a new Google Chrome zero-day CVE-2026-11645 on April 27, 2026. Google has established a $55,000 bug bounty to encourage the responsible disclosure of this bug; therefore, this bug may have significant impact and severity.
Which Versions of Google Chrome have been affected?
All Chrome versions prior to:
149.0.7827.103 for Windows and macOS
149.0.7827.102 for Linux
If your browser is older than these numbers, you're exposed to the Chrome zero-day exploit CVE-2026-11645.
The Fifth Zero-Day of 2026
This isn't an isolated incident. With the patch for Chrome zero-day exploit CVE-2026-11645, Google has now fixed five actively exploited zero-days since January 2026.
The previous four are:
CVE-2026-2441
CVE-2026-3909
CVE-2026-3910
CVE-2026-5281
That's roughly one per month. Attackers aren't slowing down.
Why "Actively Exploited" Matters
Google's advisory states that an "exploit for CVE-2026-11645 exists in the wild." That's their careful way of saying: attackers have already figured out how to use this against real people.
The company deliberately shares few technical details about active exploits. The goal is to push users to update before more attackers reverse-engineer the patch.
So when you hear "zero-day," think: the race is on. You want to be on the patched side before the bad guys knock on your door.
How to Protect Yourself Right Now
Here is how to update your Chrome browser.
1. Access Google Chrome.
2. Select the top right-hand corner's three dots.
3. Place your mouse over Help while it remains hovering there.
4. Click About Google Chrome.
5. Google automatically checks, downloads, and presents the current relevant updates for Chrome browser software that correlatively installed on your device.
6. If prompted, select Relaunch now to apply the most recent update.
That's it. After relaunch, verify the version number shows 149.0.7827.103 (Windows/Mac) or 149.0.7827.102 (Linux).
What About Other Browsers?
If you use a Chromium-based browser; Microsoft Edge, Brave, Opera, or Vivaldi you're also at risk. These browsers share the same underlying engine as Chrome.
Check each browser's update channel immediately. Apply fixes as soon as they become available. Don't assume automatic updates have already run.
The Bigger Picture
The Chrome zero-day exploit CVE-2026-11645 is a reminder that browser security isn't a "set it and forget it" affair. V8 vulnerabilities have become a favorite target for attackers because JavaScript runs everywhere.
Google's sandbox is strong, but out-of-bounds memory access flaws like this one can sometimes break out or at least cause serious damage from inside.
Conclusion
The Chrome zero-day exploit CVE-2026-11645 is real, it's active, and the fix is already available. There's no reason to wait.
Update Chrome now. Update your Chromium-based browsers. And make it a habit to check for browser updates weekly not just when you hear about another zero-day.
Because next month, there will likely be another one.
FAQ Section
What is the CVE-2026-11645 vulnerability?
The CVE-2026-11645 vulnerability is an out of bounds memory access vulnerability found within Chrome’s V8 engine. A malicious HTML page could allow a remote attacker to exploit the vulnerability and use it to execute arbitrary code within the Chrome browser sandbox.
Is there a zero-day exploit for the vulnerability identified as CVE-2026-11645 presently being abused by any malevolent entities?
According to Google, the exploit exists and is being used in the wild.
What are the last versions of Chrome that include the remedy for the CVE-2026-11645 issue?
The Chrome software including the 149.0.7827.103 (Windows/MacOS) and the 149.0.7827.102 (Linux).
How can I update my Chrome browser?
To enable automatic updates to Google Chrome, go to MORE > help > about Google chrome. This will allow automatic installation of any updates.
Are there updates available for other browsers based on Chromium?
Yes, Microsoft Edge, Brave, Opera and Vivaldi are all Chromium browsers and are applying necessary updates and patches.
