Google has mounted 74 vulnerabilities in Chrome, together with a high-severity zero-day (CVE-2026-11645) that has been exploited within the wild.
“Google is conscious that an exploit for CVE-2026-11645 exists within the wild,” the corporate mentioned in a Monday safety advisory.
The repair has been shipped in Chrome 149.0.7827.102/.103 for Home windows and macOS and Chrome 149.0.7827.102 for Linux, with the replace rolling out to customers over the approaching days and weeks.
About CVE-2026-11645
CVE-2026-11645 is an out-of-bounds read and write vulnerability in V8, Chrome’s JavaScript engine, that may enable a distant attacker to execute arbitrary code inside the browser’s sandbox by way of a crafted HTML web page.
Google has not disclosed further particulars in regards to the patched zero-day or its in-the-wild exploitation, a regular apply when addressing actively exploited vulnerabilities.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google famous.
“We will even retain restrictions if the bug exists in a third-party library that different tasks equally rely upon, however haven’t but mounted.”
The vulnerability was reported to Google on April 27, 2026, by an nameless researcher who acquired a $55,000 bug bounty for responsibly disclosing the flaw.
CVE-2026-11645 is the fifth Chrome zero-day vulnerability Google has mounted in 2026. Beforehand patched flaws embody CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.