Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day. Here’s the breakdown of the five actively exploited Chrome zero-days patched […] The post Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now appeared firs
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
By Guru Baran
June 9, 2026
Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day.
Here’s the breakdown of the five actively exploited Chrome zero-days patched in 2026 so far:
CVE Disclosed/Patched Component Vulnerability Type Fixed Version
CVE-2026-2441 Mid-February CSSFontFeatureValuesMap (CSS) Iterator invalidation 145.0.7632.75/.76
CVE-2026-3909 March (~Mar 12) Skia (2D graphics library) Out-of-bounds write 146.0.7680.75/.76
CVE-2026-3910 March (~Mar 12) V8 (JavaScript/WebAssembly engine) Inappropriate implementation 146.0.7680.75/.76
CVE-2026-5281 Late March (CISA: Apr 1) Dawn (WebGPU implementation) Use-after-free 146.0.7680.177/.178
CVE-2026-11645 June 9 (latest) V8 (JavaScript engine) Out-of-bounds read & write 149.0.7827.102/.103
Google Chrome 0-Day Exploited
The most critical flaw in this update is CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript engine.
Out-of-bounds memory access flaws in V8 are particularly dangerous because the engine processes untrusted JavaScript from every website a user visits.
Successful exploitation can corrupt memory, leak sensitive data, or, when chained with other bugs, lead to remote code execution simply by luring a victim to a malicious page.
Discovered by an external researcher identified as “303f06e3” on April 27, 2026, Google awarded a $55,000 bug bounty for the report, reflecting its significant impact potential.
Google explicitly confirmed: “Google is aware that an exploit for CVE-2026-11645 exists in the wild.” Out-of-bounds memory access flaws in V8 are particularly dangerous because attackers can leverage them to execute arbitrary code within the browser’s renderer process, potentially leading to sandbox escape and full system compromise when chained with other exploits.
The update is far more than a single-bug patch. In total, the release ships 74 security fixes, including 17 Critical vulnerabilities. The overwhelming majority are use-after-free (UAF) defects — a memory-corruption class that remains the most persistent thorn in browser security.
Ozone, Aura, and Views (core rendering and UI frameworks)
Bluetooth and Gamepad (hardware interface layers)
TabStrip, Autofill, and Web Apps (browser feature components)
Printing, Compositing, and Proxy
libyuv (integer overflow, CVE-2026-11640)
UAF vulnerabilities occur when a program continues using a memory pointer after the referenced memory has been freed. Exploiting these flaws can allow attackers to corrupt memory, execute arbitrary code, or crash the browser entirely.
High-Severity Flaws Across Core Subsystems
The high-severity category includes an additional 57 vulnerabilities affecting nearly every major Chrome subsystem, including V8 (CVE-2026-11649/11650), WebRTC (CVE-2026-11667), PDF (CVE-2026-11670), ServiceWorker (CVE-2026-11656/11694), Extensions (CVE-2026-11652/11653), Network (CVE-2026-11651/11677), and GPU (CVE-2026-11672).
The range of affected components signals a sweeping internal security audit conducted by Google’s own researchers between late April and late May 2026.
Notably, CVE-2026-11662 introduces a Type Confusion in Bindings, and CVE-2026-11688 flags an Object Lifecycle Issue in SVG — both classes of bugs commonly leveraged in browser exploit chains.
The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux. Google notes the rollout will reach users over the coming days and weeks, so manual updating is strongly recommended rather than waiting for the automatic push.
How to Update Chrome Immediately
Users should not wait for the automatic rollout. To manually update:
Open Chrome and click the three-dot menu (⋮) in the top-right corner
Navigate to Help → About Google Chrome
Chrome will check for updates automatically — click Relaunch once the update downloads
Enterprise administrators should prioritize pushing version 149.0.7827.102/103 across managed endpoints immediately given the confirmed in-the-wild exploitation of CVE-2026-11645.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises
Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware
Latest News
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cyber Security News
New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps
Cyber Security
Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers
Cyber Security
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
Cyber Security
SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched