Govt Abstract
The most recent Google Chrome 149 replace (variations 149.0.7827.102 and 149.0.7827.103) addresses a crucial safety panorama by patching 28 vulnerabilities, lots of that are categorised as excessive or crucial severity. Probably the most important amongst these is CVE-2026-11645, an out-of-bounds learn/write flaw within the V8 JavaScript engine, which has been confirmed as actively exploited within the wild. This advisory gives a complete technical breakdown of the vulnerabilities, exploitation ways, menace actor exercise, affected product variations, and actionable mitigation steering. The urgency of this replace can’t be overstated, as exploitation of those vulnerabilities can result in arbitrary code execution, privilege escalation, and compromise of delicate information. All organizations utilizing Google Chrome are strongly suggested to replace instantly and assessment their endpoint safety posture.
Technical Data
The Chrome 149 replace remediates a spectrum of vulnerabilities, predominantly reminiscence issues of safety reminiscent of “use-after-free” and integer overflow bugs. These flaws are distributed throughout a number of Chrome elements, together with Ozone, File Enter, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, libyuv, Internet Apps, Proxy, ViewTransitions, FullScreen, Community, Extensions, CameraCapture, and Media. Probably the most crucial vulnerability, CVE-2026-11645, is an out-of-bounds reminiscence entry within the V8 engine, which underpins Chrome’s JavaScript execution. This vulnerability permits distant attackers to craft malicious HTML or JavaScript payloads that, when rendered by a weak browser, can obtain arbitrary code execution inside the Chrome sandbox. The assault vector is distant and requires solely {that a} consumer go to a compromised or malicious web site.
The technical root explanation for CVE-2026-11645 is improper bounds checking within the V8 engine, resulting in reminiscence corruption. This may be exploited to control the browser’s reminiscence structure, bypassing safety controls and enabling the execution of attacker-controlled code. The vulnerability is classed below CWE-125 (Out-of-bounds Learn) and CWE-787 (Out-of-bounds Write), each of that are infamous for his or her exploitability and potential influence.
Different notable vulnerabilities embody a number of “use-after-free” circumstances, the place reminiscence is accessed after it has been freed, resulting in undefined conduct and potential code execution. For instance, CVE-2026-11628 and CVE-2026-11629 have an effect on Ozone, whereas CVE-2026-11633, CVE-2026-11635, CVE-2026-11641, CVE-2026-11698, and CVE-2026-11699 goal the Bluetooth element. Integer overflows, reminiscent of CVE-2026-11640 and CVE-2026-11678 in libyuv, can even result in buffer overflows and subsequent code execution.
The vulnerabilities patched on this launch are the results of each inside audits and exterior safety analysis, with a number of being reported by the Google Chrome Vulnerability Reward Program. The fast response and inclusion of those fixes within the secure channel underscore the criticality of the problems and the necessity for instant motion by enterprise and particular person customers alike.
Exploitation within the Wild
CVE-2026-11645 has been confirmed as exploited within the wild, with lively campaigns leveraging malicious web sites to ship exploit payloads to weak Chrome browsers. The exploitation chain sometimes entails a drive-by compromise, the place customers are lured to attacker-controlled or compromised legit websites internet hosting malicious JavaScript. Upon rendering, the exploit triggers the out-of-bounds reminiscence entry in V8, enabling arbitrary code execution inside the browser context.
Safety researchers and menace intelligence platforms, together with CISA and The Hacker Information, have reported ongoing exploitation, with indicators of compromise (IOCs) together with suspicious HTML/JavaScript payloads and anomalous course of spawning from the Chrome browser. The CISA Identified Exploited Vulnerabilities (KEV) Catalog has listed CVE-2026-11645 as requiring instant remediation, significantly for federal companies, however the steering extends to all organizations because of the widespread use of Chrome.
No absolutely public proof-of-concept (PoC) exploit code has been launched as of this writing, however exploit discussions and technical particulars have surfaced on social media and safety boards, growing the danger of broader exploitation.
APT Teams utilizing this vulnerability
Whereas there isn’t a definitive public attribution to particular Superior Persistent Menace (APT) teams for CVE-2026-11645 at the moment, the exploitation patterns noticed are per each financially motivated cybercriminals and state-sponsored actors. Traditionally, browser zero-days have been leveraged by teams reminiscent of APT28 (Fancy Bear), APT29 (Cozy Bear), and Charming Kitten, amongst others, for preliminary entry and espionage operations. The technical sophistication required to take advantage of out-of-bounds reminiscence vulnerabilities in V8 means that well-resourced menace actors are doubtless concerned or will quickly undertake this exploit into their toolkits.
Safety researchers have famous that the fast weaponization of browser vulnerabilities is a trademark of each focused and opportunistic campaigns, with exploitation typically previous public disclosure. Organizations in sectors reminiscent of authorities, finance, know-how, and protection needs to be significantly vigilant.
Affected Product Variations
The vulnerabilities have an effect on all variations of Google Chrome previous to 149.0.7827.103 on Home windows, macOS, and Linux. Particularly, the next variations are impacted: Google Chrome 149.0.7827.102 for Home windows, Google Chrome 149.0.7827.103 for Home windows, Google Chrome 149.0.7827.102 for macOS, Google Chrome 149.0.7827.103 for macOS, and Google Chrome 149.0.7827.102 for Linux. Any deployment operating a model decrease than 149.0.7827.103 is weak to the problems described on this advisory.
Workaround and Mitigation
The first mitigation is to replace Google Chrome to model 149.0.7827.103 or afterward all platforms. This replace is obtainable through the usual Chrome replace mechanism and needs to be deployed as a matter of urgency. Organizations ought to implement browser updates by centralized administration instruments reminiscent of Google Workspace Admin Console, Microsoft Endpoint Supervisor, or equal options to make sure compliance throughout all endpoints.
Along with patching, organizations ought to monitor for indicators of compromise, together with browsers operating outdated variations, suspicious HTML/JavaScript payloads concentrating on the V8 engine, and weird course of spawning from the Chrome browser context. Endpoint Detection and Response (EDR) options needs to be configured to alert on anomalous browser conduct and potential exploitation makes an attempt.
The place instant patching shouldn’t be possible, think about briefly proscribing entry to untrusted web sites, disabling JavaScript execution for high-risk customers, and segmenting weak endpoints from delicate community assets. Nevertheless, these are solely stopgap measures and don’t exchange the necessity for immediate patching.
Confer with the CISA KEV steering for added compliance and mitigation steps, significantly for organizations topic to federal cybersecurity mandates.
References
Chrome Official Launch Notes: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html NVD Entry for CVE-2026-11645: https://nvd.nist.gov/vuln/detail/CVE-2026-11645 CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-11645 The Hacker Information Protection: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html HelpNetSecurity Protection: https://www.helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645/ Reddit Dialogue: https://www.reddit.com/r/pwnhub/comments/1u3w1en/googles_chrome_149_update_fixes_28_critical_bugs/ LinkedIn Publish: https://www.linkedin.com/posts/dlross_chrome-149-update-patches-28-vulnerabilities-activity-7471373279149277185-coN1 SecurityWeek X Publish: https://x.com/SecurityWeek/status/2065365556945940704 PoC/Exploit Dialogue: https://x.com/AndreGironda/status/2064852246748381681
Rescana is right here for you
At Rescana, we perceive that the evolving menace panorama requires proactive and steady danger administration. Our Third-Occasion Threat Administration (TPRM) platform empowers organizations to determine, assess, and mitigate cyber dangers throughout their digital provide chain, guaranteeing resilience towards each identified and rising threats. Whereas this advisory focuses on the most recent Google Chrome vulnerabilities, our platform gives complete visibility and actionable intelligence that will help you keep forward of adversaries. For any questions, additional technical particulars, or help along with your cybersecurity program, our crew is able to assist at ops@rescana.com.