CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day. Here’s the breakdown of the five actively exploited Chrome zero-days patched […] The post Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now appeared firs

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now By Guru Baran June 9, 2026 Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day. Here’s the breakdown of the five actively exploited Chrome zero-days patched in 2026 so far: CVE Disclosed/Patched Component Vulnerability Type Fixed Version CVE-2026-2441 Mid-February CSSFontFeatureValuesMap (CSS) Iterator invalidation 145.0.7632.75/.76 CVE-2026-3909 March (~Mar 12) Skia (2D graphics library) Out-of-bounds write 146.0.7680.75/.76 CVE-2026-3910 March (~Mar 12) V8 (JavaScript/WebAssembly engine) Inappropriate implementation 146.0.7680.75/.76 CVE-2026-5281 Late March (CISA: Apr 1) Dawn (WebGPU implementation) Use-after-free 146.0.7680.177/.178 CVE-2026-11645 June 9 (latest) V8 (JavaScript engine) Out-of-bounds read & write 149.0.7827.102/.103 Google Chrome 0-Day Exploited The most critical flaw in this update is CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript engine. Out-of-bounds memory access flaws in V8 are particularly dangerous because the engine processes untrusted JavaScript from every website a user visits. Successful exploitation can corrupt memory, leak sensitive data, or, when chained with other bugs, lead to remote code execution simply by luring a victim to a malicious page. Discovered by an external researcher identified as “303f06e3” on April 27, 2026, Google awarded a $55,000 bug bounty for the report, reflecting its significant impact potential. Google explicitly confirmed: “Google is aware that an exploit for CVE-2026-11645 exists in the wild.” Out-of-bounds memory access flaws in V8 are particularly dangerous because attackers can leverage them to execute arbitrary code within the browser’s renderer process, potentially leading to sandbox escape and full system compromise when chained with other exploits. The update is far more than a single-bug patch. In total, the release ships 74 security fixes, including 17 Critical vulnerabilities. The overwhelming majority are use-after-free (UAF) defects — a memory-corruption class that remains the most persistent thorn in browser security. Ozone, Aura, and Views (core rendering and UI frameworks) Bluetooth and Gamepad (hardware interface layers) TabStrip, Autofill, and Web Apps (browser feature components) Printing, Compositing, and Proxy libyuv (integer overflow, CVE-2026-11640) UAF vulnerabilities occur when a program continues using a memory pointer after the referenced memory has been freed. Exploiting these flaws can allow attackers to corrupt memory, execute arbitrary code, or crash the browser entirely. High-Severity Flaws Across Core Subsystems The high-severity category includes an additional 57 vulnerabilities affecting nearly every major Chrome subsystem, including V8 (CVE-2026-11649/11650), WebRTC (CVE-2026-11667), PDF (CVE-2026-11670), ServiceWorker (CVE-2026-11656/11694), Extensions (CVE-2026-11652/11653), Network (CVE-2026-11651/11677), and GPU (CVE-2026-11672). The range of affected components signals a sweeping internal security audit conducted by Google’s own researchers between late April and late May 2026. Notably, CVE-2026-11662 introduces a Type Confusion in Bindings, and CVE-2026-11688 flags an Object Lifecycle Issue in SVG — both classes of bugs commonly leveraged in browser exploit chains. The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux. Google notes the rollout will reach users over the coming days and weeks, so manual updating is strongly recommended rather than waiting for the automatic push. How to Update Chrome Immediately Users should not wait for the automatic rollout. To manually update: Open Chrome and click the three-dot menu (⋮) in the top-right corner Navigate to Help → About Google Chrome Chrome will check for updates automatically — click Relaunch once the update downloads Enterprise administrators should prioritize pushing version 149.0.7827.102/103 across managed endpoints immediately given the confirmed in-the-wild exploitation of CVE-2026-11645. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware Latest News Cyber Security News New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts Cyber Security News New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps Cyber Security Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers Cyber Security Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands Cyber Security SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗