Read, Watch or Listen

United States – Google has released an emergency security update for its Chrome web browser to fix a high-severity zero-day vulnerability, tracked as CVE-2026-11645, that is being actively exploited in the wild. Announced in a security advisory on June 9, 2026, the patch is part of a broader release that addresses 74 vulnerabilities across Chrome’s codebase and marks the fifth zero-day the company has fixed so far in 2026. CVE-2026-11645 is an out-of-bounds read and write flaw in V8, Chrome’s high-performance JavaScript engine, and can be triggered when a user visits a specially crafted HTML page, allowing a remote attacker to execute arbitrary code within the browser sandbox and potentially gain unauthorized access to user data or systems. United States – Google said it is aware of existing exploit code for the flaw and confirmed that attackers have already used the vulnerability in real-world campaigns, but it is withholding detailed technical and targeting information to limit further abuse until most users apply the fix. The vulnerability was reported on April 27, 2026, by an anonymous researcher, who received a $55,000 bounty through Google’s Chrome Vulnerability Reward Program. The patch is included in Chrome version 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux, and is rolling out globally. Google urged users to manually check the “About Chrome” page to ensure immediate updating, noting that Chromium-based browsers such as Microsoft Edge, Brave and Opera will also need to integrate the upstream fixes to protect their users.

Prepared by Jonathan Pierce and reviewed by editorial team.