CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026, and while it is a browser bug rather than a server or appliance flaw, its reach may be the broadest on the recent list. The vulnerability lives in V8, the JavaScript and WebAssembly engine at the heart of Chromium — the open-source project that underpins not just Google Chrome but Microsoft Edge, Opera, Brave, Vivaldi, and a long roster of other browsers and embedded web views. A flaw in V8 is not a flaw in one product; it is a flaw in a shared component that the majority of the world's web traffic flows through.
The bug is a memory-safety issue: an out-of-bounds read and write, classified under CWE-787 (out-of-bounds write) and CWE-125 (out-of-bounds read). Memory-corruption flaws in a JavaScript engine are especially dangerous because the engine executes untrusted code from every website a user visits. When the engine can be coaxed into reading or writing memory outside the bounds it should respect, an attacker who controls a web page controls a primitive that can be escalated to code execution. CISA's catalog description states the impact and the breadth in one sentence.
"Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera."— CISA Known Exploited Vulnerabilities Catalog, source
The attack vector is the most accessible one imaginable: a crafted HTML page. There is no requirement that the victim install software, open an attachment, or grant a permission. Simply visiting a malicious or compromised website — or viewing a malicious advertisement served through a legitimate site — is enough to trigger the flaw. This is the drive-by model of attack, and it is why browser bugs that reach the KEV list demand fast, broad patching across an entire user population rather than a targeted response to a handful of exposed assets.
What "inside a sandbox" does and does not mean
The catalog wording is careful: the flaw allows code execution inside a sandbox. Modern Chromium browsers run the renderer process — the part that parses web content and runs JavaScript — inside a sandbox specifically designed to contain a compromise, so that breaking the renderer does not immediately mean owning the machine. That layered defense is real and valuable, and it means CVE-2026-11645 on its own grants an attacker control of the sandboxed renderer rather than the full operating system.
But that caveat should not breed complacency. A renderer compromise is itself harmful: it can expose data the renderer handles, including content from the sites a user has open. More importantly, attackers routinely chain a renderer-level bug like this one with a separate sandbox-escape vulnerability to achieve full system compromise — the V8 flaw is the first link in an exploit chain, not necessarily the last. Treating sandboxed code execution as low-severity is exactly the mistake that lets a multi-stage exploit succeed. CISA's inclusion of the flaw on the KEV catalog signals confirmed exploitation in the wild, which means working attack code already exists.
What CISA requires and what users should do
Notably, CVE-2026-11645 was listed under the older BOD 22-01 framework rather than the BOD 26-04 directive attached to the other recent entries, with a remediation due date of June 23, 2026. Agencies are directed to apply mitigations per the vendor's instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable — the standard remediation triad for the catalog's browser and software entries.
The practical takeaway is refreshingly simple for users and clear for administrators. Google shipped a Stable channel update for Chrome that addresses the flaw, and because the vulnerability is in shared Chromium code, the other affected browsers — Microsoft Edge, Opera, and the rest — receive their own corresponding updates as their vendors pull in the fix. Users should update to the latest version of whichever Chromium-based browser they run and, critically, restart the browser. A pending update that has been downloaded but not applied through a restart leaves the user exposed; browsers commonly stage an update silently and only complete it on relaunch, so closing and reopening the browser is the step that actually closes the hole.
The shared-component nature of this vulnerability also carries a timing wrinkle that defenders should understand. Because Chrome, Edge, Opera, and the rest all draw from the same upstream Chromium codebase, they do not necessarily ship their fixes simultaneously. Google typically leads, and downstream vendors pull the corrected V8 code into their own release pipelines on their own schedules — meaning a Chrome user may be protected days before an Edge or Opera user running the same engine. For a mixed-browser environment, that staggered rollout means tracking patch status per browser rather than assuming a single update covers everything. It also means attackers have a window: once the fix is public, the underlying flaw is effectively disclosed, and any browser that has not yet shipped or applied its corresponding update becomes an easier target for n-day exploitation. Speed of patch adoption, not just availability, is what determines exposure in this window.
For organizations, the move is to push the browser update through whatever management tooling is in place and verify version compliance across the fleet, rather than relying on each user to relaunch on their own schedule. The ransomware-use field for CVE-2026-11645 reads "Unknown," with no confirmed tie to a named ransomware operation as of the listing — but browser zero-days and n-days are a staple of both commercial spyware vendors and financially motivated crews, and a drive-by code-execution flaw in the world's most-used browser engine is too widely useful to leave unpatched. Update and restart is the whole defense; it just has to actually happen.