Google Chromium V8 CVE-2026-11645: KEV Out-of-Bounds Execution in JavaScript Engine

Executive Summary

Google released Chrome desktop builds 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux on 2026-06-08. The release fixed CVE-2026-11645, a high-severity out-of-bounds memory-access vulnerability in V8, and Google stated that an exploit exists in the wild Google Chrome Releases.

CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-09 with a federal remediation due date of 2026-06-23 CISA alert. NVD describes the issue as an out-of-bounds read and write that can allow a remote attacker to execute arbitrary code inside the browser sandbox through crafted HTML NVD. Public sources reviewed through 2026-06-10 do not establish a sandbox escape, exploit chain, campaign, or public indicators beyond vulnerable browser versions.

Key Facts

cve: "CVE-2026-11645"
vendor: "Google"
affected_component: "Chromium V8"
vulnerability: "Out-of-bounds read and write"
weaknesses:
  - "CWE-125"
  - "CWE-787"
reported_to_google: "2026-04-27"
vendor_release_date: "2026-06-08"
kev_added: "2026-06-09"
kev_due_date: "2026-06-23"
fixed_desktop_builds:
  - "149.0.7827.102/.103 for Windows and macOS"
  - "149.0.7827.102 for Linux"
nvd_affected_boundary: "Google Chrome prior to 149.0.7827.103"
cvss_v3_1: "8.8 HIGH"
cvss_vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
known_ransomware_use: "Unknown"
last_verified: "2026-06-10"

Source Confidence & Evidence Mapping

• confirmed: Google lists CVE-2026-11645 as a high-severity V8 out-of-bounds memory-access flaw, credits reporter 303f06e3, records a $55,000 reward, and states that an exploit exists in the wild Google Chrome Releases.
• confirmed: CISA added the flaw to KEV on 2026-06-09 and requires federal agencies to apply vendor mitigations by 2026-06-23 CISA KEV.
• confirmed: NVD records code execution inside a sandbox through crafted HTML, user interaction required, and CWE-125/CWE-787 mappings NVD.
• unclear: Google has not publicly described the exploited technique, target population, delivery infrastructure, or whether CVE-2026-11645 was chained with a sandbox escape.

Impact Determination

Classification	Criteria	Required evidence	Handling decision	Closure condition
Confirmed compromise	Browser or endpoint telemetry ties exploitation behavior to CVE-2026-11645 or to a vendor-confirmed exploit sample.	Preserved browser process tree, crash artifacts, browsing history, EDR telemetry, and vendor confirmation.	Isolate the endpoint and preserve browser and endpoint evidence.	The endpoint is rebuilt or forensically cleared and the exploited entry point is documented.
Presumed exposed	Chrome or another Chromium-derived browser used a vulnerable V8 build and loaded untrusted web content before patching.	Browser version history, software inventory, update logs, and proxy or browser history.	Patch immediately and prioritize endpoint review where suspicious browser behavior exists.	A fixed build is installed and available telemetry has been reviewed.
Potentially exposed	A Chromium-derived browser is present, but the embedded Chromium/V8 version or update state is not known.	Product-specific version inventory and vendor release mapping.	Obtain the downstream vendor’s fixed-version guidance; do not assume Chrome version numbers apply directly.	Every installed Chromium-derived product is mapped to a fixed or vulnerable build.
Not exposed	The browser was already on a vendor-confirmed fixed build before relevant browsing activity, or the product does not embed affected Chromium/V8 code.	Version and update timestamps plus vendor applicability data.	Retain the inventory result.	Evidence identifies the installed build and its patch status.
Unknown	Browser inventory, update timestamps, or endpoint telemetry is unavailable.	A gap statement naming missing assets and time ranges.	Treat patch status as unknown and force an update.	Inventory coverage is restored or risk acceptance is recorded.

Timeline

• 2026-04-27: Google records the vulnerability report from 303f06e3 Google Chrome Releases.
• 2026-06-08: Google publishes the Chrome desktop stable-channel update and states that an exploit exists in the wild Google Chrome Releases.
• 2026-06-09: CISA adds CVE-2026-11645 to KEV with a 2026-06-23 due date CISA alert.
• 2026-06-10: Primary-source review finds no public exploit-chain details or incident-specific network indicators.

What Happened

CVE-2026-11645 is an out-of-bounds memory-access vulnerability in V8. A remote attacker can trigger the flaw by getting a user to load crafted HTML. The public Chrome and NVD descriptions support arbitrary code execution inside the browser sandbox; they do not support claims that the vulnerability independently escapes that sandbox or spawns operating-system commands Google Chrome Releases NVD.

Technical Analysis

Google is withholding detailed bug information while users update. The restricted Chromium issue is 506689381. Public evidence does not identify the exact V8 subsystem, optimization phase, object type, exploit primitive, or exploit-chain partner. Defenders should therefore hunt on patch state and abnormal browser behavior rather than unsupported assumptions about TurboFan, array indexing, ASLR bypass, or a specific payload.

Affected Assets and Blast Radius

affected_assets:
  - "Google Chrome desktop installations below the vendor-fixed builds"
  - "Chromium-derived browsers whose vendors confirm use of the affected V8 code"
highest_priority:
  - "Browsers used for privileged administration"
  - "Internet-facing kiosks and shared workstations"
  - "Unmanaged endpoints with delayed browser updates"
not_established:
  - "A public sandbox-escape chain"
  - "A named exploitation campaign"
  - "Incident-specific domains, IP addresses, URLs, or file hashes"

Indicators of Compromise

vulnerabilities:
  - "CVE-2026-11645"
version_selectors:
  - "Chrome desktop build below 149.0.7827.102/.103 on Windows or macOS"
  - "Chrome desktop build below 149.0.7827.102 on Linux"
issue_selectors:
  - "Chromium issue 506689381"
network_iocs_defanged: []
file_hashes: []

Detection and Hunting

Script: local repository and exported telemetry scope

#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-google-chromium-v8-cve-2026-11645-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
]
URLS = [
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Sources

1. Google Chrome Releases: Stable Channel Update for Desktop, June 8, 2026 - Role: DIRECT_SOURCE - Impact: Fixed desktop builds, severity, reporter, reward, and in-the-wild exploitation statement.
2. CISA: Adds Three Known Exploited Vulnerabilities to Catalog - Role: DIRECT_SOURCE - Impact: KEV addition date and remediation direction.
3. CISA: Known Exploited Vulnerabilities entry for CVE-2026-11645 - Role: DIRECT_SOURCE - Impact: Due date, affected-product description, and ransomware-use status.
4. NIST NVD: CVE-2026-11645 - Role: ENRICHMENT_DATA - Impact: Published description, CVSS vector, weakness mappings, and affected boundary.