Google has patched an actively exploited zero-day in Chrome's V8 JavaScript engine, and the issue is already moving through the highest-priority remediation channels. The flaw, tracked as CVE-2026-11645, was disclosed by Google on 2026-06-08, then added by CISA to the Known Exploited Vulnerabilities catalog on 2026-06-09.
That sequence matters. A browser update can look routine in change-management queues, but once active exploitation is confirmed and KEV follows immediately after, defenders should treat the patch as a near-term operational priority.
What the flaw is
According to Google's advisory, CVE-2026-11645 is an out-of-bounds memory access bug in V8. NVD describes it as an issue that allows a remote attacker to execute arbitrary code inside Chrome's sandbox via a crafted HTML page.
The public description is deliberately narrow, but it is still enough to classify this as a serious vulnerability. Code execution inside the browser sandbox is not the same as full host compromise, yet it gives attackers a meaningful foothold on one of the most exposed application surfaces in any organization.
Why KEV changes the priority
CISA's KEV listing is often the moment when a bug shifts from "important" to "patch now." For federal agencies, the catalog comes with formal remediation deadlines. For everyone else, it is still a strong signal that exploitation is real and that delaying updates increases avoidable exposure.
In this case, NVD shows the KEV entry was added on 2026-06-09 with a due date of 2026-06-23. That is a short window, and it reflects the expected urgency around browser flaws that can be triggered through malicious web content.
What defenders should pay attention to
This is not the kind of issue to measure only by whether it yields immediate system-level control. An in-the-wild exploit against Chrome can still support credential theft, surveillance, or follow-on exploitation if paired with another bug.
The practical risk is higher because:
- Chrome is broadly deployed across enterprises and personal devices
- malicious pages, phishing lures, or ad-driven traffic can serve as delivery points
- users may assume browser updates can wait a few days when they should not
- threat actors only need a narrow success window before patch adoption catches up
Affected versions and fix
Google says the Stable channel update brings Chrome to 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux. NVD lists affected versions as Chrome releases prior to 149.0.7827.103.
Because Google also notes that rollout can take days or weeks, security teams should not assume every endpoint is protected just because the fix exists upstream. Validation matters.
What teams should do now
Recommended actions:
- force or verify Chrome updates across managed endpoints
- prioritize internet-facing and high-risk user populations first
- look for lagging browser versions in endpoint management and EDR inventories
- review web filtering and phishing telemetry for signs of suspicious lure activity
- watch for chaining behavior that could indicate attempts to turn sandbox access into deeper compromise
Bottom line
CVE-2026-11645 is another reminder that browser zero-days do not stay theoretical for long. Google patched it on June 8, 2026, and CISA added it to KEV on June 9, 2026. If Chrome is in your environment, this is the kind of update that should move ahead of routine patch backlog.
