Browser bugs travel further than most. On June 9, 2026, CISA added CVE-2026-11645, an out-of-bounds read and write vulnerability in Chromium's V8 JavaScript engine, to its Known Exploited Vulnerabilities catalog. Because V8 is the engine inside Chromium, the flaw does not stop at Google Chrome. CISA's entry is explicit: it “could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.” A single bug in shared code becomes a vulnerability across a large slice of the world's browsers.
The National Vulnerability Database scores CVE-2026-11645 a CVSS 3.1 base of 8.8, High. The vector — AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — describes a network-reachable, low-complexity attack requiring no privileges but a single user action, with high impact across confidentiality, integrity, and availability. That “user action” (UI:R) is the entire interaction model of a drive-by browser exploit: the victim simply visits a page.
What an out-of-bounds read and write buys an attacker
The NVD description states that the flaw “allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” and Google rated the Chromium security severity as High. The CVE is classified under two memory-safety weaknesses: CWE-787 (out-of-bounds write) and CWE-125 (out-of-bounds read). V8 compiles and runs JavaScript at high speed, and memory-safety errors in that engine are among the most prized in offensive research precisely because every web page is an opportunity to feed the engine attacker-controlled script.
An out-of-bounds write lets an attacker corrupt memory the program never intended them to touch; an out-of-bounds read can leak memory contents that defeat protections like address-space layout randomization. Combined, read-then-write primitives are the classic building blocks of a reliable exploit chain: leak to understand the memory layout, then write to redirect execution. The result, as the description notes, is arbitrary code execution inside the renderer sandbox.
That sandbox boundary matters and deserves an honest accounting. Chromium isolates the renderer process precisely so that a compromised web page cannot immediately reach the rest of the operating system. Code execution “inside a sandbox” is a serious foothold but not, by itself, full device takeover — a sandbox escape is typically required to convert renderer compromise into control of the host. Attackers routinely chain a V8 bug like this one with a separate sandbox-escape vulnerability to achieve exactly that, which is why a memory-safety flaw with confirmed exploitation in the wild warrants urgent patching even before any escape is public. The renderer is the front door, and CVE-2026-11645 holds it open.
The defender's response is simple but easy to neglect
The fix is already available. The NVD record states the flaw affects “Google Chrome prior to 149.0.7827.103,” meaning the patched build is 149.0.7827.103 or later. Google's Chrome Releases blog announced the corresponding stable-channel desktop update, and the Chromium issue tracker carries the underlying bug. CISA's required action directs applying vendor mitigations per BOD 22-01, with a federal remediation due date of June 23, 2026.
For most users and fleets, remediation is a matter of letting Chrome update and then restarting the browser — the step people skip. Chrome downloads updates in the background, but the new version does not take effect until the browser is relaunched, so a fleet of machines that have not been restarted in days may be carrying the patch on disk while still running the vulnerable engine in memory. The practical takeaway for defenders is to verify the running version, not just the installed one: confirm endpoints report 149.0.7827.103 or later and have actually restarted Chrome.
It is also worth being clear about what KEV listing implies for a browser bug specifically. Google does not always disclose the precise details of exploitation when a Chromium flaw is being used in attacks; the company frequently restricts bug-tracker access until a majority of users have updated, precisely to slow the spread of working exploits. That operational caution means defenders often have to act on the fact of exploitation rather than a public proof of concept. The CISA listing supplies exactly that fact — confirmation that CVE-2026-11645 is being used against real targets — which is sufficient justification to treat the update as urgent even in the absence of a published exploit. Waiting for technical details before patching inverts the risk calculus: by the time details circulate widely, the window of easy exploitation has usually already been open for some time.
The Chromium dependency makes the rollout broader than Chrome alone. Microsoft Edge, Opera, Brave, Vivaldi, and other Chromium-based browsers ship their own updates incorporating the same V8 fix, typically on a short lag. Organizations should track and push the equivalent patched versions for every Chromium browser in their environment, including any embedded webview components in applications. A vulnerability in shared upstream code is only as fixed as the slowest downstream product to ship it.
Because exploitation is already occurring — that is the entire meaning of a KEV listing — defenders should treat the update as time-sensitive rather than routine. Where centralized management exists, force the update and a restart rather than relying on users. Where it does not, a clear advisory to restart browsers closes the gap. There is no configuration workaround that substitutes for the patched engine; the only durable mitigation is running a fixed build.
CVE-2026-11645 is, in one sense, an ordinary entry: another V8 memory-safety bug, another High-severity browser update. But that ordinariness is the point. The browser is the most-used piece of attack surface on nearly every device, V8 is its busiest component, and a crafted web page is the lowest-friction delivery mechanism an attacker has. When a V8 out-of-bounds flaw lands on the KEV catalog, the correct response is not analysis paralysis but the unglamorous discipline of making sure every browser in the fleet is current and has been restarted.