Active Exploitation, Memory Corruption, Google Chrome, CVE-2026-11645
Source Material: Chrome Releases, NVD | Technology: Google Chrome, Chromium-Based Browsers, V8 JavaScript Engine | Targeted Industries: Agnostic / Broad Targeting
Executive Summary
Google released a security update for the Stable Channel on June 8, 2026. This update addresses 74 security vulnerabilities in Google Chrome. Among the fixed vulnerabilities is CVE-2026-11645, a high-severity out-of-bounds read and write memory corruption flaw within V8, Chrome’s open-source JavaScript and WebAssembly rendering engine. Google confirmed threat actors are actively exploiting this zero-day vulnerability in the wild against targeted endpoints. This marks the fifth actively exploited zero-day patched in the Google Chrome ecosystem this year.
The vulnerability allows a remote attacker to execute arbitrary machine code inside the Chromium browser sandbox. An adversary only needs to trick a user into visiting a maliciously crafted HTML web page. While this isolated exploit does not grant immediate operating system control, it successfully breaches the browser’s primary security boundary. Advanced Persistent Threat (APT) groups and commercial spyware vendors regularly chain these renderer-level exploits with secondary sandbox escapes to fully compromise the host device.
An anonymous security researcher reported the vulnerability to Google on April 27, 2026. Standard vulnerability disclosure protocols are currently active. Google is withholding technical proof-of-concept (PoC) exploit code and specific campaign attribution details to give the global user base time to patch.
Threat Overview and Strategic Impact
CVE-2026-11645 originates from an out-of-bounds (OOB) memory access condition in the V8 engine. V8 compiles JavaScript directly into native machine code. OOB read and write flaws occur when the optimizing compiler makes incorrect assumptions about object types or memory bounds during the Just-In-Time (JIT) compilation process. When V8’s internal assumptions fail to match the actual runtime state, it stops enforcing safe memory boundaries.
Attackers trigger this by embedding specific JavaScript or WebAssembly payloads in an HTML document. This forces the V8 engine to read from or write to locations outside its allocated memory buffer. Reading OOB memory leaks sensitive addresses, bypassing protections like Address Space Layout Randomization (ASLR). Writing OOB memory lets attackers overwrite function pointers and hijack the execution flow to run arbitrary machine code.
The strategic impact remains high despite the Chromium sandbox. An attacker inside the sandboxed renderer process can harvest session cookies, intercept authentication tokens, and launch cross-site scripting attacks using the victim’s active web sessions. Attackers may use this as a beachhead, chaining additional local privilege escalation (LPE) vulnerabilities to escape the sandbox and gain system-level persistence.
Security Hardening and Recommendations
Mitigation can be achieved by deploying the patched browser versions across all endpoints. Google released Chrome versions 149.0.7827.102 and 149.0.7827.103 for Windows and macOS, and version 149.0.7827.102 for Linux. Verify that automated update mechanisms are functioning properly. Force browser restarts across the environment, as the patch only applies after the application terminates and reinitializes.
Evaluate your software inventory for alternative Chromium-based browsers (Edge, Brave, Vivaldi, Opera) and ensure they are updated to match the upstream Chromium engine patches. Audit desktop applications built on Electron or CEF frameworks. These embedded runtimes often lag significantly behind the primary Chromium release cycle and create persistent, hidden attack surfaces.
Detection Strategy
Catching a V8 memory corruption exploit at the point of execution is challenging because the activity happens within the volatile memory of the sandboxed browser process. Focus detection strategies on behavioral anomalies, initial delivery vectors, and post-exploitation sandbox escape artifacts. Monitor endpoint telemetry for unexpected child processes spawning from browser executables. Command-line interpreters or unknown binaries originating from chrome.exe or msedge.exe strongly indicate a successful sandbox escape. Watch for repeated renderer crashes paired with network connections to new or uncategorized domains, which often point to failed exploitation attempts.
How Deepwatch Protects Our Customers
Deepwatch actively monitors customer environments for initial exploitation mechanisms for this threat, such as phishing emails, watering hole attacks, and malvertising, and subsequent post-exploitation activity. We use custom correlation searches across endpoint, identity, and email data to identify attempts to route users to malicious infrastructure.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Anomalous Child Process Execution Originating from Sandboxed Renderers: The Chromium architecture uses strict boundaries. Renderer processes cannot interact directly with the host operating system. If an attacker achieves arbitrary code execution and escapes the sandbox, their next step is to spawn a persistent OS-level process. They will often instruct the compromised browser to launch command-line interpreters (cmd.exe, powershell.exe) or system utilities to download next-stage payloads. Query EDR telemetry for instances where browser executables act as the parent process for standard living-off-the-land binaries (LOLBins).
- Memory Corruption Crash Analytics and Network Correlation: Memory corruption exploits targeting JIT compilers are often unstable. Attackers must precisely manipulate memory layouts and bypass ASLR. When these manipulations fail, the application renderer crashes. Threat actors refining an exploit in the wild often generate application faults. Leverage Windows Error Reporting (WER) to identify hosts experiencing sudden spikes in browser crashes. Correlate this crash data temporally with network connection events to newly registered or low-reputation domains.
- Suspicious File Drops and Modification within User Profile Directories: Many exploit chains still rely on staging secondary payloads to disk. A compromised browser process will often attempt to write executables, DLLs, or script files into user-writable directories. The AppData\Local\Temp directory is a primary target because the user executing the browser already possesses write permissions there. Hunt for browser processes creating executable files or scripts within the user profile, focusing on uncommon file extensions.
- Exploitation Indicators within Embedded Chromium Frameworks (Electron/CEF): Applications like Microsoft Teams, Slack, and Discord utilize embedded versions of the Chromium engine. These do not automatically update when Google patches the core Chrome browser, leaving them vulnerable to CVE-2026-11645 for extended periods. Apply the same behavioral detection logic used for browsers to all known Electron and CEF-based applications across the endpoint fleet.
- Cross-Origin Data Exfiltration and DOM Manipulation: An attacker constrained by the sandbox still has access to the user’s active web session data. They can bypass Same-Origin Policy (SOP) restrictions to read data from other tabs, steal session cookies, or interact with internal corporate web applications. Look for patterns of cross-origin data exfiltration, such as a browser session initiating high-frequency HTTP POST requests to an unknown external domain immediately following navigation to an untrusted site.
- Advanced Memory Allocation Anomalies (ETW Ti): To bypass mitigations like Data Execution Prevention (DEP), attackers must allocate executable memory regions. This involves API calls to change memory page permissions to PAGE_EXECUTE_READWRITE (RWX). Organizations using ETW Ti data should hunt for anomalous memory allocation patterns originating from the browser process. Cross-process memory injection from a browser into a completely unrelated system process is highly anomalous and indicates a sandbox escape.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- Unknown
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Drive-by Compromise | T1189 | Threat actors host weaponized HTML pages designed to silently exploit the V8 engine upon visitation. |
| Initial Access | Phishing: Spearphishing Link | T1566.002 | Attackers distribute malicious URLs via email or social engineering to lure victims to exploit infrastructure. |
| Execution | User Execution: Malicious Link | T1204.002 | The exploitation sequence requires the user to click a link or navigate to a controlled web asset. |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | The adversary utilizes deeply obfuscated JavaScript payloads to trigger the out-of-bounds condition. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | The V8 renderer exploit is likely chained with a local OS-level vulnerability to completely escape the sandbox. |
| Defense Evasion | Execution Guardrails | T1480 | Exploits employ environmental keying to trigger the payload only if the target matches specific parameters. |
| Credential Access | Steal Web Session Cookie | T1539 | The attacker extracts active web session cookies from the browser’s memory for account takeover. |
| Collection | Data from Local System | T1005 | Post-exploitation, the adversary collects sensitive documents or configuration files from the endpoint. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | The payload establishes persistence and communicates with C2 infrastructure via standard HTTPS traffic. |
Vulnerabilities:
- CVE-2026-11645
Malware/Tool:
- Unknown. Specific malware families have not been detailed. Post-exploitation activity likely involves remote access trojans (RATs), commercial adversary simulation frameworks, or custom in-memory droppers.
Additional Sources
- The Hacker News – Chrome V8 Zero-Day
- SecurityWeek – Google Patches 5th Chrome Zero-Day
- Penligent – CVE-2026-11645 Active Exploitation
- Help Net Security – Google Chrome Zero-Day
- Malwarebytes – Google Patches Actively Exploited Vulnerability
- VulDB – CVE-2026-11695
- AI Weekly – Google Chrome Patches Fifth Zero-Day
- TechRadar – Update Chrome Now
- CyberInsider – Google Chrome Emergency Update
- InfoSecurity Magazine – Google Releases Patch
Share