Google Chrome Patches Actively Exploited V8 Out-of-Bounds Flaw
Google released an urgent Chrome desktop update to fix 74 security issues, including CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript engine. Google said an exploit for the flaw exists in the wild, making it the most pressing issue in the release. The update affects Chrome on Windows, macOS, and Linux, and Google limited technical details for some bugs until more users receive the patch.
The release also addresses multiple additional memory-safety flaws, including use-after-free bugs in components such as Ozone, Bluetooth, and tab strips. HKCERT separately published an advisory covering multiple Chrome vulnerabilities, reinforcing the breadth of the fixes. Organizations are being urged to update Chrome immediately and ensure browser restarts are completed so the patched version is applied across managed endpoints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google releases Chrome update fixing exploited V8 flaw CVE-2026-11645
Google released an urgent Chrome desktop security update addressing CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript engine. Google said an exploit for the flaw exists in the wild and noted the update also includes 74 security fixes affecting Windows, macOS, and Linux desktop platforms.
Researcher reports Chrome zero-day CVE-2026-11645 to Google
Google said researcher "303f06e3" reported CVE-2026-11645, an out-of-bounds memory access flaw in the V8 engine, on 2026-04-27. The company awarded a $55,000 bug bounty for the finding.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
구글 크롬, 제로데이 취약점(CVE-2026-11645) 긴급 업데이트 권고
blog.alyac.co.kr
Open sourceCVE-2026-11645: Chrome Zero-Day in V8
socprime.com
Open sourceGoogle Chrome 0-Day Vulnerability Exploited in the Wild - Update Now
cybersecuritynews.com
Open sourceGoogle releases emergency update for fifth Chrome zero-day exploited in the wild this year | brief | SC Media
scworld.com
Open sourceGoogle patches Chrome zero-day exploited in the wild (CVE-2026-11645) - Help Net Security
helpnetsecurity.com
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceCVE-2026-11645: CVE-2026-11645: Out-of-Bounds Memory Access in Google Chrome V8 Engine | CVEReports
cvereports.com
Open source���������� Chrome 149.0.7827.102 � ����������� 17 ����������� ����������
opennet.ru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
Mar 21, 2026
Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two **high-severity zero-day vulnerabilities**, `CVE-2026-3909` and `CVE-2026-3910`, that are being **exploited in the wild**. Advisory reporting says the flaws can enable **data manipulation** and **security restriction bypass**, prompting a **high-risk** assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes. Technical reporting identifies `CVE-2026-3909` as an **out-of-bounds write** in **Skia**, Chrome’s graphics library, and `CVE-2026-3910` as an **inappropriate implementation** issue in the **V8 JavaScript and WebAssembly engine**. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for **Windows `146.0.7680.75`**, **macOS `146.0.7680.76`**, and **Linux `146.0.7680.75`**. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
Apr 2, 2026
Google Chrome Emergency Update Patches Multiple Critical Vulnerabilities
Google released an emergency update for *Chrome for Desktop* to **Stable channel 145.0.7632.159/160 (Windows/macOS)** and **145.0.7632.159 (Linux)**, addressing **10 security vulnerabilities**, including **three Critical** issues. Reported flaws include `CVE-2026-3536` (integer overflow in **ANGLE**), `CVE-2026-3537` (object lifecycle issue in **PowerVR**), and `CVE-2026-3538` (integer overflow in **Skia**); additional **High-severity** bugs span components such as **V8**, **WebAssembly**, **CSS**, **DevTools**, and media-related subsystems. Google limited detailed disclosure until patch adoption increases and urged users to update promptly; reported bug bounty awards for individual findings reached **up to $33,000**. The Canadian Centre for Cyber Security echoed Google’s advisory, recommending organizations apply the Chrome updates when available to remediate the affected versions. Separate Canadian Centre advisories also covered unrelated patch guidance for **Drupal contributed modules** (including a **critical access bypass** in *AJAX Dashboard* and moderate issues such as XSS in other modules) and a **Tenable Nessus Manager** vulnerability fixed in versions **10.10.3** and **10.11.3**; these items are distinct from the Chrome emergency update and should be tracked independently in vulnerability management workflows.
Mar 21, 2026