Google Patches 74 Chrome Flaws, Including Actively Exploited V8 Zero-Day CVE-2026-11645
Updated
Updated · The Hacker News · Jun 9
Google Patches 74 Chrome Flaws, Including Actively Exploited V8 Zero-Day CVE-2026-11645
3 articles · Updated · The Hacker News · Jun 9
Summary
Google pushed Chrome 149.0.7827.102/.103 updates to fix 74 vulnerabilities, led by CVE-2026-11645, a high-severity zero-day the company said is already being exploited in the wild.
CVE-2026-11645 carries a CVSS score of 8.8 and stems from an out-of-bounds read and write in Chrome's V8 engine, letting a remote attacker execute arbitrary code inside a sandbox through a crafted HTML page.
Google withheld technical details of the active exploit until more users install the patch; researcher 303f06e3 reported the flaw on April 27 and received a $55,000 bug bounty.
The fix brings Chrome's tally of actively exploited zero-days patched in 2026 to five, and it also affects Chromium-based browsers such as Edge, Brave, Opera and Vivaldi once their updates ship.