Google has released a major security update for Chrome to address 74 vulnerabilities, including an actively exploited zero day flaw identified as CVE 2026 11645. The high severity vulnerability affects Chrome’s V8 engine, which powers JavaScript and WebAssembly functionality in the browser. Security experts have warned that the flaw could allow attackers to execute arbitrary code within Chrome’s sandbox environment through a specially crafted HTML page, increasing risks for users running unpatched browser versions. Google confirmed that the vulnerability has been exploited in the wild, prompting recommendations for immediate browser updates across supported operating systems.
Tracked as CVE 2026 11645, the vulnerability has been assigned a CVSS score of 8.8 and is classified as an out of bounds memory access issue in V8. According to vulnerability details published in National Vulnerability Database (NVD), the flaw impacts Google Chrome versions prior to 149.0.7827.103 and may enable remote attackers to perform arbitrary code execution by exploiting memory handling weaknesses through malicious web content. The issue was discovered and responsibly reported by a security researcher identified as “303f06e3” on April 27, 2026. Google awarded the researcher a bug bounty of $55,000 in recognition of the responsible disclosure process that helped identify and mitigate the security risk before broader exploitation.
Although Google acknowledged the existence of active exploitation linked to CVE 2026 11645, the company has limited technical details regarding attack methods and exploitation activity to reduce the likelihood of additional abuse before users install security fixes. This approach follows Google’s standard practice for high severity vulnerabilities where exploit activity has already been detected. The latest patch cycle also highlights continued browser security challenges during 2026, with Google confirming that CVE 2026 11645 marks the fifth actively exploited Chrome zero day addressed since the beginning of the year. Previously disclosed vulnerabilities included CVE 2026 2441, CVE 2026 3909, CVE 2026 3910, and CVE 2026 5281, all of which received emergency attention following evidence of real world exploitation.
To mitigate risk, Google has advised users to immediately update Chrome to version 149.0.7827.102 or 149.0.7827.103 for Windows and Apple macOS systems, while Linux users are advised to install version 149.0.7827.102. Users can manually verify updates by navigating through More, Help, and About Google Chrome before relaunching the browser to activate the latest protections. Security specialists also noted that users of Chromium based browsers including Microsoft Edge, Brave, Opera, and Vivaldi should monitor vendor updates and apply security patches once available, as many Chromium based products inherit vulnerabilities originating from Chrome’s core browser engine.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
