TP-EXP-2026-0317 CVE-2026-11645 high Patched AI Draft

Google Chromium V8 Out-of-Bounds Read and Write (CVE-2026-11645)

CVE CVE-2026-11645 Platform Google Chromium V8 Type Out-of-Bounds Read and Write

Severity HIGH

Status Patched

Zero-Day Confirmed

Disclosed June 8, 2026

Patched June 8, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 8/10 — NVD scores the vulnerability with network attack vector, low attack complexity, no privileges required, and required user interaction through a crafted HTML page.
Impact: 8/10 — NVD assigns high confidentiality, integrity, and availability impact for code execution inside the browser sandbox.
Weaponization Risk: 8/10 — Google states that an exploit for CVE-2026-11645 exists in the wild, and CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-09.
Patch Urgency: 9/10 — CISA lists a 2026-06-23 required action deadline, and Google has shipped fixed Chrome stable builds.
Detection Coverage: 4/10 — Public sources do not provide exploit indicators, payload details, or attacker infrastructure; defenders are limited to patch status, browser telemetry, and suspicious web-content execution signals.

Summary

CVE-2026-11645 is a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript engine used by Google Chromium and Chrome. NVD describes the flaw as an out-of-bounds read and write issue in Google Chrome before version 149.0.7827.103 that could allow a remote attacker to execute arbitrary code inside a sandbox through a crafted HTML page.

Google released a Stable Channel update for desktop on 2026-06-08. The update moved Chrome to 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux, and Google listed CVE-2026-11645 as a high-severity V8 out-of-bounds memory access issue. The release note also says Google was aware that an exploit for CVE-2026-11645 existed in the wild.

CISA added CVE-2026-11645 to the Known Exploited Vulnerabilities catalog on 2026-06-09 and set a 2026-06-23 required action deadline for covered federal systems. CISA notes that Chromium-based browsers beyond Google Chrome may be affected, including Microsoft Edge and Opera, because they use Chromium components.

Exploit Chain

Stage 1: Deliver crafted web content

The attacker needs a victim to process crafted HTML content in an affected Chromium-based browser. Public sources do not identify the delivery method used in observed exploitation. Possible delivery paths should be treated as investigative hypotheses unless local telemetry confirms them.

Stage 2: Trigger V8 memory corruption

The crafted page exercises vulnerable V8 behavior that causes out-of-bounds memory access. CISA maps the issue to CWE-787 and CWE-125, and NVD describes the vulnerability as an out-of-bounds read and write in V8.

Stage 3: Execute code inside the browser sandbox

NVD and CISA state that exploitation can allow arbitrary code execution inside a sandbox. Public sources do not identify a sandbox escape, post-exploitation payload, attacker infrastructure, or targeted victim set for this CVE.

Detection Guidance

Inventory Chrome and Chromium-based browsers and verify that Google Chrome has reached a fixed stable version at or after 149.0.7827.103 where applicable.
Apply equivalent vendor updates for Chromium-based browsers such as Microsoft Edge, Opera, or embedded Chromium runtimes when those vendors publish fixed builds.
Review endpoint telemetry for browser renderer crashes, abnormal V8 process behavior, or child-process activity after visits to unusual or newly observed web pages.
Correlate suspicious browser activity with web proxy, DNS, and EDR data to identify crafted-page delivery paths.
Treat public exploit-chain gaps conservatively: no reviewed source identifies a specific malware family, actor, campaign, or infrastructure tied to CVE-2026-11645.

Indicators of Compromise

No stable indicators of compromise have been published in the reviewed sources. The following behaviors are investigative leads, not confirmed IOCs:

Visits to unknown or unexpected web pages followed by Chrome or Chromium renderer crashes.
Browser telemetry showing V8-related memory safety exceptions before patch deployment.
Unexpected browser process behavior after rendering untrusted HTML content.
Attempts to chain browser code execution with separate sandbox escape or persistence activity.
Repeated access to pages that trigger exploit-like crashes only on vulnerable Chromium builds.

Disclosure Timeline

2026-04-27: Vulnerability reported Google credits the external report for CVE-2026-11645 on 2026-04-27 in its Chrome Stable Channel release note.
2026-06-08: Google stable update released Google released Chrome Stable Channel desktop builds that include the fix and stated that an exploit for CVE-2026-11645 exists in the wild.
2026-06-09: NVD publication NVD published CVE-2026-11645 with CVSS 3.1 score 8.8 high and affected Google Chrome versions before 149.0.7827.103.
2026-06-09: CISA KEV addition CISA added CVE-2026-11645 to the Known Exploited Vulnerabilities catalog.
2026-06-23: CISA remediation deadline CISA lists 2026-06-23 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-09
National Vulnerability Database: CVE-2026-11645 — National Vulnerability Database, 2026-06-09
Google Chrome Releases: Stable Channel Update for Desktop — Google Chrome Releases, 2026-06-08
Chromium Issue Tracker: Issue 506689381 — Chromium Issue Tracker, 2026-06-08