Google fixes the fifth actively exploited Chrome zero-day of 2026

Google fixed a new Chrome zero-day, tracked as CVE-2026-11645, in the V8 JavaScript engine, which is already being exploited in the wild.

Google released emergency updates to address a new Chrome zero-day vulnerability, tracked as CVE-2026-11645, that has been exploited in the wild. This flaw is the fifth Chrome zero-day that is being exploited in the wild in 2026.

“Google is aware that an exploit for CVE-2026-11645 exists in the wild,” reads the advisory advisory.

The vulnerability is an out-of-bounds memory access in the V8 JavaScript engine. Out-of-bounds memory access occurs when a program reads from or writes to a memory location outside the boundaries of an allocated buffer, array, or memory region. Such flaws could lead to denial of service conditions (application crashes), privilege escalation, ot remote code execution (RCE).

As usual, Google did not share technical details about the attacks exploiting this vulnerability.

Since the start of the year, Google has addressed the following zero-day flaws exploited in attacks in the wild:

• February 2026 – CVE-2026-2441 – Use after free in CSS.
• March 2026 – CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library and CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine.
• April 2026 – CVE-2026-5281 – Use-after-free bug in Dawn, the WebGPU component used for graphics processing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)