**Google** has released emergency updates to patch another **Chrome** zero-day vulnerability, **CVE-2026-11645**, which has been exploited in the wild. This is the fifth such flaw addressed by the company since the start of the year. "Google is aware that an exploit for **CVE-2026-11645** exists in the wild," the company stated in a recent security advisory. The update rolled out to users in the Stable Desktop channel for Windows (version 149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems, approximately two weeks after an anonymous security researcher reported the flaw. ### Understanding CVE-2026-11645 This high-severity zero-day vulnerability stems from an out-of-bounds read and write weakness within the **Chrome V8 JavaScript engine**. Remote attackers can exploit this flaw by crafting malicious HTML pages, potentially allowing them to execute arbitrary code within the web browser's sandbox environment. Successful exploitation could lead to data access beyond the memory buffer through heap corruption, exposing sensitive information or causing application crashes. Furthermore, this bug could be leveraged to bypass critical protection mechanisms such as **ASLR** (Address Space Layout Randomization), making it easier for attackers to achieve full code execution via other weaknesses. ### Immediate Action Required While **Google** indicates that security updates can take days or weeks to reach all **Chrome** users, the patched versions are typically available immediately upon manual checking. Users are advised to update their browsers without delay by navigating to `Settings > About Chrome` or restarting their browser to trigger the automatic update process.  **Google** has confirmed active exploitation of **CVE-2026-11645**, but has not yet shared further details about these incidents. This is a common practice to prevent further exploitation while updates are still rolling out. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," **Google** explained. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed." ### A Year of Persistent Threats **CVE-2026-11645** is the fifth zero-day vulnerability **Google** has patched in **Chrome** since the beginning of 2026. The previous four include: * **CVE-2026-2441**: An iterator invalidation bug in **CSSFontFeatureValuesMap** (Chrome's implementation of CSS font feature values), addressed in mid-February. * **CVE-2026-3909** and **CVE-2026-3910**: Two zero-day bugs fixed in March. **CVE-2026-3909** was an out-of-bounds write weakness in the **Skia** 2D graphics library, and **CVE-2026-3910** was an inappropriate implementation vulnerability in the **V8 JavaScript and WebAssembly engine**. * **CVE-2026-5281**: A use-after-free weakness in **Dawn**, the underlying cross-platform implementation of the **WebGPU** standard used by the **Chromium** project, patched in April. Looking back, **Google** addressed eight zero-days exploited in the wild in 2025. Many of these critical flaws were reported by **Google's Threat Analysis Group (TAG)**, which is renowned for identifying and tracking zero-day exploits, particularly those used in spyware attacks.