Google Patches 5th Chrome Zero-Day of 2026: CVE-2026-11645

Google on Monday rolled out Chrome 149, a critical security update that patches 74 vulnerabilities, including a high-severity zero-day flaw actively exploited in the wild. The vulnerability, tracked as CVE-2026-11645, is an out-of-bounds read/write issue in the V8 JavaScript engine that allows a remote attacker to execute arbitrary code inside a sandbox via a specially crafted HTML page. Google has not disclosed details about the in-the-wild attacks, but researchers believe the flaw has likely been chained with a separate sandbox escape vulnerability to achieve full system compromise.

According to Google's advisory, the zero-day was reported in late April by an anonymous researcher identified by the handle "303f06e3," who has previously reported other Chrome vulnerabilities to the company. The researcher was awarded $55,000 under Google's bug bounty program for the responsible disclosure. CVE-2026-11645 marks the fifth Chrome zero-day exploited in the wild in 2026, following CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281. Users are urged to update to the latest Chrome version immediately, and verify their browser is patched by checking the version in chrome://settings. A quick browser fingerprint test can also help confirm your browser is reporting current and consistent data.

Google noted that the number of vulnerabilities discovered by its own teams has surged over recent months, with most of the critical and high-severity flaws in this release identified internally. The company attributes the spike to AI-assisted vulnerability research, though it has not disclosed which models or tools are being used. Notably, Google recently reduced base bug bounty rewards for Chrome vulnerabilities, citing the impact of AI on scaling up flaw discovery. With attackers increasingly targeting browser engines like V8, users should also ensure their overall security posture is solid — running a password checker to audit stored credentials and a privacy checkup can help reduce exposure if a browser-based exploit succeeds.