CVE-2026-11645
Confirmed PUBLISHEDOut of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox...
5 hours faster than CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CVE Published
- Jun 08, 2026
- Exploitation Reported
- Jun 09, 2026
- CVSS
- 8.8 High
- EPSS
- 1.7%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
|
Chrome
|
149.0.7827.103 to < 149.0.7827.103 |
Affected |
CVE References
- chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01... chromereleases.googleblog.com · CVE Record https://chromereleases.googleblog.com/2026/06/stable-channel-update-f...
- issues.chromium.org/issues/506689381 issues.chromium.org · CVE Record https://issues.chromium.org/issues/506689381
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| TheHackerNews First | 2026-06-09 13:20 UTC |
| CISA | 2026-06-09 18:01 UTC |
| CVE | 2026-06-09 18:01 UTC |
| All CISA Advisories | 2026-06-09 20:20 UTC |
No detection artifacts or sensor request patterns are available for this CVE yet.
Check back as sensor telemetry and scanner integrations are updated.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-09 13:20:17 UTC · TheHackerNews
Proof of concept available
Recorded 2026-06-10 23:06:47 UTC · GitHub
Recent Mentions
Google Chrome Releases · Jun 17, 2026
The ChromeOS Stable channel is being updated to OS version 16667.47.0 (Browser version 149.0.7827.153) for most ChromeOS devices.If you find new issues, please let us know one of the following ways:File a bugVisit our ChromeOS communitiesGeneral: Chromebook Help CommunityBeta Specific: ChromeOS Beta Help CommunityReport an issue or send feedback on ChromeInterested in switching channels? Find out how.Luis MenezesGoogle ChromeOS ChromeOS Vulnerability Rewards Program Reported Bug Fixes:N/AOther 3rd Party Security Fixes Included:High Fixes [LPE] Patchpanel ConnectNamespace PID Gate Bypass Allows CAP_NET_ADMIN Root Netns Operations Medium Fixes [PSP-376][PowerVR] Resource leak and improper locking in DevmemIntMapPMR error path if remapping with incompatible policy High Fixes CVE-2026-41157 [PSP-419][PowerVR] OOB Write in CalculateNPOTTwiddleSparsePageMap3D Android Security fixes can be found hereChrome Browser Security Fixes:[$TBD] [517046249] Critical CVE-2026-10902 Use after free in Ozone on 2026-05-27 [$TBD] [516653777] Critical CVE-2026-10899 Use after free in Ozone on 2026-05-26 [$TBD] [516311623] High CVE-2026-10989 Inappropriate implementation in V8 on 2026-05-24 [$TBD] [515465685] High CVE-2026-10988 Use after free in Views on 2026-05-21 [$TBD] [515431687] High CVE-2026-10987 Integer overflow in V8 on 2026-05-21 [$TBD] [514744613] High CVE-2026-10986 Integer overflow in Media on 2026-05-19 [$TBD] [514082801] High CVE-2026-10985 Out of bounds read in Skia on 2026-05-17 [$TBD] [513947609] High CVE-2026-10983 Insufficient validation of untrusted input in Dawn on 2026-05-16 [$TBD] [513946753] Critical CVE-2026-10898 Stack buffer overflow in GPU on 2026-05-16 [$TBD] [513774197] High CVE-2026-10982 Use after free in WebXR on 2026-05-16 [$TBD] [513762354] High CVE-2026-10981 Insufficient validation of untrusted input in Codecs on 2026-05-16 [$TBD] [513713927] High CVE-2026-10980 Insufficient validation of untrusted input in DevTools on ...
All CISA Advisories · Jun 09, 2026
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
TheHackerNews · Jun 09, 2026
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS score: 8.8), has been described as an out-of-bounds memory access in V8, Chrome's JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103
Google Chrome Releases · Jun 08, 2026
The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the LogSecurity Fixes and RewardsNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.This update includes 74 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information[N/A][516501794] Critical CVE-2026-11628: Use after free in Ozone. Reported by Google on 2026-05-25[N/A][516674532] Critical CVE-2026-11629: Use after free in Ozone. Reported by Google on 2026-05-26[N/A][516677924] Critical CVE-2026-11630: Use after free in File Input. Reported by Google on 2026-05-26[N/A][516691130] Critical CVE-2026-11631: Use after free in Aura. Reported by Google on 2026-05-26[N/A][516707881] Critical CVE-2026-11632: Use after free in TabStrip. Reported by Google on 2026-05-26[N/A][516963272] Critical CVE-2026-11633: Use after free in Bluetooth. Reported by Google on 2026-05-27[N/A][516975148] Critical CVE-2026-11634: Use after free in Gamepad. Reported by Google on 2026-05-27[N/A][516987814] Critical CVE-2026-11635: Use after free in Bluetooth. Reported by Google on 2026-05-27[N/A][517023053] Critical CVE-2026-11636: Use after free in Autofill. Reported by Google on 2026-05-27[N/A][517040438] Critical CVE-2026-11637: Use after free in Views. Reported by Google on 2026-05-27[N/A][517047197] Critical CVE-2026-11638: Use after free in Printing. Reported by Google on 2026-05-27[N/A][517227707] Critical CVE-2026-11639: Use after free in Compositing. Reported by Google on 2026-05-27[N/A][517339758] Critical CVE-2026-11640: Integer overflow in libyuv. Reported by Google on 2026-05-28[N/A][517418936]...
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-10 23:06:47 UTC · 0 stars
github · Created 2026-06-10 15:02:56 UTC · 0 stars
# CVE-2026-11645 - Chrome V8 Out-of-Bounds Read/Write Exploit
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
15:02 UTC about 1 month ago15:02 UTC · about 1 month ago
Public PoC available
Public proof-of-concept code published
-
20:20 UTC about 1 month ago20:20 UTC · about 1 month ago
KEV confirmed by All CISA Advisories
Exploitation attested by an external source
-
18:01 UTC about 1 month ago18:01 UTC · about 1 month ago
KEV confirmed by CVE
Exploitation attested by an external source
-
18:01 UTC about 1 month ago18:01 UTC · about 1 month ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
13:20 UTC about 1 month ago13:20 UTC · about 1 month ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
23:27 UTC about 1 month ago23:27 UTC · about 1 month ago
CVE published
Vulnerability disclosed publicly
-
21:33 UTC about 1 month ago21:33 UTC · about 1 month ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-11645
{
"cve_id": "CVE-2026-11645",
"title": "Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 a...",
"affected_vendor": "Google",
"affected_product": "Chrome",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 8.8,
"epss_score": 0.01654,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}