Secure Cyber Vulnerability Management

10/06/2026
Qualys-Threat-Protect

Google Zero-day Vulnerability Exploited in the Wild (CVE-2026-11645)

by Deepanshu Jha

Google released security updates to address a large number of vulnerabilities impacting the Chrome browser. Tracked as CVE-2026-11645, this is an out-of-bounds memory access vulnerability in the V8 JavaScript engine.

CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before June 23, 2026.

CVE-2026-11645 is the fifth zero-day vulnerability patched by Google since the start of the year. The list includes:

  1. CVE-2026-2441
  2. CVE-2026-3909
  3. CVE-2026-3910
  4. CVE-2026-5281

Google addressed 73 other vulnerabilities with the zero-day. The list includes:

  • CVE-2026-11628: A use-after-free vulnerability in Ozone.
  • CVE-2026-11629: A use-after-free vulnerability in Ozone.
  • CVE-2026-11630: A use-after-free vulnerability in File Input.
  • CVE-2026-11631: A use-after-free vulnerability in Aura.
  • CVE-2026-11632: A use-after-free vulnerability in TabStrip.
  • CVE-2026-11633: A use-after-free vulnerability in Bluetooth.
  • CVE-2026-11634: A use-after-free vulnerability in Gamepad.
  • CVE-2026-11635: A use-after-free vulnerability in Bluetooth.
  • CVE-2026-11636: A use-after-free vulnerability in Autofill.
  • CVE-2026-11637: A use-after-free vulnerability in Views.
  • CVE-2026-11638: A use-after-free vulnerability in Printing.
  • CVE-2026-11639: A use-after-free vulnerability in Compositing.
  • CVE-2026-11640: An integer overflow vulnerability in libyuv.
  • CVE-2026-11641: A use-after-free vulnerability in Bluetooth.
  • CVE-2026-11642: A use-after-free vulnerability in Web Apps.
  • CVE-2026-11643: A use-after-free vulnerability in Proxy.
  • CVE-2026-11644: A use-after-free vulnerability in Views.
  • CVE-2026-11646: A use-after-free vulnerability in ViewTransitions.
  • CVE-2026-11647: A use-after-free vulnerability in Printing.
  • CVE-2026-11648: A use-after-free vulnerability in FullScreen.
  • CVE-2026-11649: A use-after-free vulnerability in V8.
  • CVE-2026-11650: A use-after-free vulnerability in V8.
  • CVE-2026-11651: A use-after-free vulnerability in Network.
  • CVE-2026-11652: A use-after-free vulnerability in Extensions.
  • CVE-2026-11653: An insufficient validation of untrusted input in Extensions.
  • CVE-2026-11654: A use-after-free vulnerability in CameraCapture.
  • CVE-2026-11655: An integer overflow in Media.
  • CVE-2026-11656: A use-after-free vulnerability in ServiceWorker.
  • CVE-2026-11657: A use-after-free vulnerability in Payments.
  • CVE-2026-11658: An insufficient validation of untrusted input in Extensions.
  • CVE-2026-11659: An insufficient validation of untrusted input in UI.
  • CVE-2026-11660: An insufficient validation of untrusted input in the New Tab Page.
  • CVE-2026-11661: A use-after-free vulnerability in Views.
  • CVE-2026-11662: A type Confusion vulnerability in Bindings.
  • CVE-2026-11663: A use-after-free vulnerability in Skia.
  • CVE-2026-11664: A use-after-free vulnerability in Payments.
  • CVE-2026-11665: An out-of-bounds read vulnerability in Dawn.
  • CVE-2026-11666: An insufficient validation of untrusted input in Input.
  • CVE-2026-11667: An out-of-bounds read vulnerability in WebRTC.
  • CVE-2026-11668: An uninitialized Use in Codecs.
  • CVE-2026-11669: An integer overflow vulnerability in Media.
  • CVE-2026-11670: A use-after-free vulnerability in PDF.
  • CVE-2026-11671: A use-after-free vulnerability in Navigation.
  • CVE-2026-11672: An out-of-bounds write vulnerability in the GPU.
  • CVE-2026-11673: A use-after-free vulnerability in InterestGroups.
  • CVE-2026-11674: A use-after-free vulnerability in Guest View.
  • CVE-2026-11675: An insufficient validation of untrusted input in Skia.
  • CVE-2026-11676: An insufficient validation of untrusted input in Dawn.
  • CVE-2026-11677: A race condition flaw in Network.
  • CVE-2026-11678: An integer overflow vulnerability in libyuv.
  • CVE-2026-11679: A use-after-free vulnerability in Codecs.
  • CVE-2026-11680: A use-after-free vulnerability in Media.
  • CVE-2026-11681: A use-after-free vulnerability in Ozone.
  • CVE-2026-11682: An insufficient validation of untrusted input in Views.
  • CVE-2026-11683: A use-after-free vulnerability in WebCodecs.
  • CVE-2026-11684: An insufficient policy enforcement in the network.
  • CVE-2026-11685: An insufficient data validation in MediaCapture.
  • CVE-2026-11686: An insufficient validation of untrusted input in Dawn.
  • CVE-2026-11687: A use-after-free vulnerability in Dawn.
  • CVE-2026-11688: An object lifecycle issue in SVG.
  • CVE-2026-11689: An insufficient validation of untrusted input in Passwords.
  • CVE-2026-11690: An out-of-bounds read and write vulnerability in Media.
  • CVE-2026-11691: An insufficient validation of untrusted input in the New Tab Page.
  • CVE-2026-11692: A use-after-free vulnerability in Read Anything.
  • CVE-2026-11693: An inappropriate implementation in Plugins.
  • CVE-2026-11694: A use-after-free vulnerability in ServiceWorker.
  • CVE-2026-11695: An inappropriate implementation in Passwords.
  • CVE-2026-11696: An uninitialized Use in Video.
  • CVE-2026-11697: An insufficient validation of untrusted input in UI.
  • CVE-2026-11698: A use-after-free vulnerability in Bluetooth.
  • CVE-2026-11699: A use-after-free vulnerability in Bluetooth.
  • CVE-2026-11700: A use-after-free vulnerability in Tracing.
  • CVE-2026-11701: An insufficient validation of untrusted input.

Affected Versions

The vulnerability affects Google Chrome versions before 149.0.7827.102.

Mitigation

Customers must upgrade to the latest stable channel version 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QID 387568 to detect vulnerable assets.

Rapid Response with TruRisk™ Eliminate

Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html

Comments are closed.

You may also like