Google has released an urgent security update for Chrome addressing a critical zero-day vulnerability, tracked as CVE-2026-11645, which is currently being exploited in the wild. As Senior Security Consultants, we are treating this with the highest priority due to the active exploitation status and the nature of the affected component.
Introduction
On June 2026, Google confirmed that CVE-2026-11645 (CVSS 8.8), an out-of-bounds memory access flaw in the V8 JavaScript and WebAssembly engine, is under active attack. This type of vulnerability typically allows an attacker to corrupt memory and escape the browser sandbox, leading to remote code execution (RCE) on the victim's machine. The presence of an active exploit chain means the window between disclosure and widespread compromise is closing rapidly. Defenders must prioritize patching immediately to neutralize this threat.
Technical Analysis
Component Vulnerability: V8 is Chrome's open-source high-performance JavaScript and WebAssembly engine. An out-of-bounds (OOB) memory access vulnerability occurs when the software reads or writes data past the allocated boundary of a buffer.
- CVE-2026-11645: specifically involves an "Out-of-bounds read and write in V8."
- Impact: By carefully manipulating JavaScript objects to trigger this OOB access, an attacker can read sensitive data from memory or corrupt memory pointers. In the context of a browser, this is often the first step in a "Exploit Chain"—used to bypass Address Space Layout Randomization (ASLR) and other mitigations before executing a second-stage payload that achieves arbitrary code execution.
- Affected Version: Google Chrome prior to 149.0.7827.103 (for desktop platforms).
- Exploitation Status: Active in the wild. Google acknowledges that an exploit for CVE-2026-11645 exists.
Detection & Response
Detecting browser exploitation is challenging but not impossible. The most reliable signal for a successful compromise via this vulnerability is the browser process spawning an unexpected child process (e.g., cmd.exe, powershell.exe) or downloading executables. Below are detection rules and hunt queries to identify potential exploitation activity and vulnerable assets.
Sigma Rules
---
title: Potential Chrome Exploitation Spawning Command Shell
id: 89a4b12c-3f7d-4a9e-8b1c-9d3e4f5a6b7c
status: experimental
description: Detects Google Chrome spawning cmd.exe or powershell.exe, a common post-exploitation behavior for browser RCE vulnerabilities like CVE-2026-11645.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-11645
author: Security Arsenal
date: 2026/06/16
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_legit_dev:
# Filter out local developers debugging Node.js/Chromium tools if necessary, adjusting for environment
CommandLine|contains:
- 'C:\\Program Files\\nodejs\\'
condition: selection and not filter_legit_dev
falsepositives:
- Local developers running web servers from terminal
- System administrators using browser-based management tools
level: high
---
title: Chrome Version Vulnerability Check (CVE-2026-11645)
id: 12c3d45e-6789-10ab-cdef-1234567890ab
status: experimental
description: Identifies endpoints running vulnerable versions of Google Chrome (older than 149.0.7827.103) susceptible to CVE-2026-11645 via process creation logs.
references:
- https://chromereleases.googleblog.com/
author: Security Arsenal
date: 2026/06/16
tags:
- detection.vulnerability
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\chrome.exe'
ProductVersion:
- '149.0.7827.0'
- '149.0.7827.1'
- '149.0.7827.2'
- '149.0.7827.10'
- '149.0.7827.11'
- '149.0.7827.12'
- '149.0.7827.13'
- '149.0.7827.14'
- '149.0.7827.15'
- '149.0.7827.16'
- '149.0.7827.17'
- '149.0.7827.18'
- '149.0.7827.19'
- '149.0.7827.20'
- '149.0.7827.21'
- '149.0.7827.22'
- '149.0.7827.23'
- '149.0.7827.24'
- '149.0.7827.25'
- '149.0.7827.26'
- '149.0.7827.27'
- '149.0.7827.28'
- '149.0.7827.29'
- '149.0.7827.30'
- '149.0.7827.31'
- '149.0.7827.32'
- '149.0.7827.33'
- '149.0.7827.34'
- '149.0.7827.35'
- '149.0.7827.36'
- '149.0.7827.37'
- '149.0.7827.38'
- '149.0.7827.39'
- '149.0.7827.40'
- '149.0.7827.41'
- '149.0.7827.42'
- '149.0.7827.43'
- '149.0.7827.44'
- '149.0.7827.45'
- '149.0.7827.46'
- '149.0.7827.47'
- '149.0.7827.48'
- '149.0.7827.49'
- '149.0.7827.50'
- '149.0.7827.51'
- '149.0.7827.52'
- '149.0.7827.53'
- '149.0.7827.54'
- '149.0.7827.55'
- '149.0.7827.56'
- '149.0.7827.57'
- '149.0.7827.58'
- '149.0.7827.59'
- '149.0.7827.60'
- '149.0.7827.61'
- '149.0.7827.62'
- '149.0.7827.63'
- '149.0.7827.64'
- '149.0.7827.65'
- '149.0.7827.66'
- '149.0.7827.67'
- '149.0.7827.68'
- '149.0.7827.69'
- '149.0.7827.70'
- '149.0.7827.71'
- '149.0.7827.72'
- '149.0.7827.73'
- '149.0.7827.74'
- '149.0.7827.75'
- '149.0.7827.76'
- '149.0.7827.77'
- '149.0.7827.78'
- '149.0.7827.79'
- '149.0.7827.80'
- '149.0.7827.81'
- '149.0.7827.82'
- '149.0.7827.83'
- '149.0.7827.84'
- '149.0.7827.85'
- '149.0.7827.86'
- '149.0.7827.87'
- '149.0.7827.88'
- '149.0.7827.89'
- '149.0.7827.90'
- '149.0.7827.91'
- '149.0.7827.92'
- '149.0.7827.93'
- '149.0.7827.94'
- '149.0.7827.95'
- '149.0.7827.96'
- '149.0.7827.97'
- '149.0.7827.98'
- '149.0.7827.99'
- '149.0.7827.100'
- '149.0.7827.101'
- '149.0.7827.102'
# Note: This logic assumes older versions are also present. In a real rule, we'd check "less than" or exclude the patched version.
filter_patched:
ProductVersion: '149.0.7827.103'
condition: selection and not filter_patched
falsepositives:
- None
level: critical
KQL (Microsoft Sentinel / Defender)
This query hunts for devices in your environment running the vulnerable Chrome version. It leverages DeviceProcessEvents to inspect the version of the running chrome.exe binary.
// Hunt for devices running vulnerable versions of Chrome < 149.0.7827.103
DeviceProcessEvents
| where FileName == "chrome.exe"
| where isnotnull(FileVersion)
| extend ChromeVersion = tostring(FileVersion)
| order by Timestamp desc
| distinct DeviceName, ChromeVersion
| where ChromeVersion < "149.0.7827.103"
| project DeviceName, ChromeVersion, RiskLevel = "Critical - Vulnerable to CVE-2026-11645"
Velociraptor VQL
This Velociraptor artifact hunts for the Chrome binary on the endpoint and extracts the Product Version to determine if the system is vulnerable.
-- Hunt for vulnerable Chrome versions on disk
SELECT FullPath,
VersionInfo.ProductVersion AS ChromeVersion,
VersionInfo.FileVersion,
Mtime AS LastModified
FROM glob(globs="/Program Files/Google/Chrome/Application/chrome.exe")
WHERE VersionInfo.ProductVersion < "149.0.7827.103"
Remediation Script (PowerShell)
This PowerShell script can be deployed via SCCM, Intune, or other RMM tools to audit the Chrome version on endpoints. It checks the version against the secure baseline and outputs the compliance status.
# Audit Chrome Version for CVE-2026-11645
$SecureVersion = [version]"149.0.7827.103"
$ChromePaths = @(
"${env:ProgramFiles}\Google\Chrome\Application\chrome.exe",
"${env:ProgramFiles(x86)}\Google\Chrome\Application\chrome.exe"
)
$VulnerableFound = $false
foreach ($Path in $ChromePaths) {
if (Test-Path $Path) {
$FileVersionInfo = (Get-Item $Path).VersionInfo
$InstalledVersion = [version]$FileVersionInfo.ProductVersion
Write-Host "Checking Chrome at: $Path"
Write-Host "Installed Version: $InstalledVersion"
if ($InstalledVersion -lt $SecureVersion) {
Write-Host "[WARNING] System is VULNERABLE to CVE-2026-11645." -ForegroundColor Red
Write-Host "Action Required: Update Google Chrome to $SecureVersion or later."
$VulnerableFound = $true
} else {
Write-Host "[OK] System is patched." -ForegroundColor Green
}
}
}
if (-not $VulnerableFound) {
Write-Host "Chrome not found in standard paths or no vulnerabilities detected."
exit 0
} else {
exit 1
}
Remediation
-
Immediate Patching: Update Google Chrome to version 149.0.7827.103 or immediately.
- Users can trigger an update by navigating to
chrome://settings/helporchrome://help. - Enterprises should push the latest MSI or package update via their endpoint management system (Intune, SCCM, WSUS).
- Users can trigger an update by navigating to
-
Verify Chromium Derivatives: Other browsers based on Chromium (Microsoft Edge, Brave, Opera, Vivaldi) share the V8 engine. Verify that these browsers have also incorporated the V8 fix in their latest stable updates. If they have not patched against CVE-2026-11645, they remain vulnerable.
-
Isolate Compromised Systems: If your detection rules (specifically Chrome spawning shells) have fired, assume the host is fully compromised. Isolate the device from the network and initiate your Incident Response (IR) playbook immediately, focusing on persistence mechanisms and credential theft.
-
User Awareness: Remind users not to ignore browser restart prompts. The patch requires a browser restart to take effect as it involves loading the new V8 engine into memory.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.