Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now

Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day.

Here’s the breakdown of the five actively exploited Chrome zero-days patched in 2026 so far:

Google Chrome 0-Day Exploited

The most critical flaw in this update is CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript engine.

Out-of-bounds memory access flaws in V8 are particularly dangerous because the engine processes untrusted JavaScript from every website a user visits.

Successful exploitation can corrupt memory, leak sensitive data, or, when chained with other bugs, lead to remote code execution simply by luring a victim to a malicious page.

Discovered by an external researcher identified as “303f06e3” on April 27, 2026, Google awarded a $55,000 bug bounty for the report, reflecting its significant impact potential.

Google explicitly confirmed: “Google is aware that an exploit for CVE-2026-11645 exists in the wild.” Out-of-bounds memory access flaws in V8 are particularly dangerous because attackers can leverage them to execute arbitrary code within the browser’s renderer process, potentially leading to sandbox escape and full system compromise when chained with other exploits.

The update is far more than a single-bug patch. In total, the release ships 74 security fixes, including 17 Critical vulnerabilities. The overwhelming majority are use-after-free (UAF) defects — a memory-corruption class that remains the most persistent thorn in browser security.

• Ozone, Aura, and Views (core rendering and UI frameworks)
• Bluetooth and Gamepad (hardware interface layers)
• TabStrip, Autofill, and Web Apps (browser feature components)
• Printing, Compositing, and Proxy
• libyuv (integer overflow, CVE-2026-11640)

UAF vulnerabilities occur when a program continues using a memory pointer after the referenced memory has been freed. Exploiting these flaws can allow attackers to corrupt memory, execute arbitrary code, or crash the browser entirely.

High-Severity Flaws Across Core Subsystems

The high-severity category includes an additional 57 vulnerabilities affecting nearly every major Chrome subsystem, including V8 (CVE-2026-11649/11650), WebRTC (CVE-2026-11667), PDF (CVE-2026-11670), ServiceWorker (CVE-2026-11656/11694), Extensions (CVE-2026-11652/11653), Network (CVE-2026-11651/11677), and GPU (CVE-2026-11672). The breadth of affected components signals a sweeping internal security audit conducted by Google’s own researchers between late April and late May 2026.

Notably, CVE-2026-11662 introduces a Type Confusion in Bindings, and CVE-2026-11688 flags an Object Lifecycle Issue in SVG — both classes of bugs commonly leveraged in browser exploit chains.

The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux. Google notes the rollout will reach users over the coming days and weeks, so manual updating is strongly recommended rather than waiting for the automatic push.

How to Update Chrome Immediately

Users should not wait for the automatic rollout. To manually update:

1. Open Chrome and click the three-dot menu (⋮) in the top-right corner
2. Navigate to Help → About Google Chrome
3. Chrome will check for updates automatically — click Relaunch once the update downloads

Enterprise administrators should prioritize pushing version 149.0.7827.102/103 across managed endpoints immediately given the confirmed in-the-wild exploitation of CVE-2026-11645.