Chrome Patch Panic: The Fifth Zero-Day of 2026 for Your Favourite Browser

4 min. read

Google just dropped an emergency Chrome patch, and if you manage a fleet of endpoints, you do not want to wait for the automatic rollout. We are looking at the fifth actively exploited zero-day to hit Chrome in 2026. Tracked as CVE-2026-11645, this flaw is an out-of-bounds memory access vulnerability living right inside the V8 JavaScript engine.

For the uninitiated, out-of-bounds memory bugs in V8 are the holy grail for browser exploitation. The V8 engine has to process untrusted JavaScript from literally every website your users visit. When a program can read or write outside its allocated memory boundaries, an attacker can corrupt the heap. This allows them to bypass memory protections like ASLR and leak sensitive session data. In this specific case, all it takes is luring a victim to a specially crafted HTML page. Once the page loads, the malicious code executes inside the browser sandbox. Naturally, the attackers are likely chaining this with a secondary flaw to escape that restrictive environment and take full control of the machine.

Google confirmed this vulnerability is already being exploited in the wild. An external researcher operating under the handle "303f06e3" reported the bug back in April and walked away with a massive $55,000 bounty. It took Google roughly two weeks to push the fix, meaning attackers had a material operational window to compromise targets before defenders even knew what hit them.

While the zero-day is grabbing all the headlines, this update is an absolute monster. Google packed 74 total security fixes into this release, including 17 critical vulnerabilities. If you dig into the release notes, you will see it is a graveyard of use-after-free defects spread across nearly every core subsystem. They patched memory corruption flaws in WebRTC, ServiceWorker, the PDF viewer, as well as the GPU renderer. It looks like Google ran a massive internal security audit over the last month and realized just how leaky their flagship browser had become.

Do not rely on your RMM to catch this on the next scheduled patch cycle. Enterprise Chrome deployments with delayed auto-updates are sitting ducks right now. You need to push version 149.0.7827.102 (or .103 for Mac and Windows) across your managed endpoints immediately. If you have standalone machines, tell your users to navigate to Help under the main menu and click About Google Chrome to force the download.

This sustained wave of V8 exploitation proves that memory safety is still the biggest hurdle for browser vendors. The bad guys have clearly figured out a reliable methodology for finding these bugs, and until the architecture fundamentally changes, we are just going to keep playing patch roulette.

If you want to see more guides, automation scripts, and technical deep dives or News just like this, make sure to follow us on Twitter, check out the Facebook page, and sign up for the weekly 404 & More newsletter!