CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 10, 2026

Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now - CyberSecurityNews

CyberSecurityNews Archived Jun 10, 2026 ✓ Full text saved

Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now By Guru Baran June 9, 2026 Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability actively exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including one confirmed zero-day. Here’s the breakdown of the five actively exploited Chrome zero-days patched in 2026 so far: CVE Disclosed/Patched Component Vulnerability Type Fixed Version CVE-2026-2441 Mid-February CSSFontFeatureValuesMap (CSS) Iterator invalidation 145.0.7632.75/.76 CVE-2026-3909 March (~Mar 12) Skia (2D graphics library) Out-of-bounds write 146.0.7680.75/.76 CVE-2026-3910 March (~Mar 12) V8 (JavaScript/WebAssembly engine) Inappropriate implementation 146.0.7680.75/.76 CVE-2026-5281 Late March (CISA: Apr 1) Dawn (WebGPU implementation) Use-after-free 146.0.7680.177/.178 CVE-2026-11645 June 9 (latest) V8 (JavaScript engine) Out-of-bounds read & write 149.0.7827.102/.103 Google Chrome 0-Day Exploited The most critical flaw in this update is CVE-2026-11645, a high-severity out-of-bounds memory access vulnerability in Chrome’s V8 JavaScript engine. Out-of-bounds memory access flaws in V8 are particularly dangerous because the engine processes untrusted JavaScript from every website a user visits. Successful exploitation can corrupt memory, leak sensitive data, or, when chained with other bugs, lead to remote code execution simply by luring a victim to a malicious page. Discovered by an external researcher identified as “303f06e3” on April 27, 2026, Google awarded a $55,000 bug bounty for the report, reflecting its significant impact potential. Google explicitly confirmed: “Google is aware that an exploit for CVE-2026-11645 exists in the wild.” Out-of-bounds memory access flaws in V8 are particularly dangerous because attackers can leverage them to execute arbitrary code within the browser’s renderer process, potentially leading to sandbox escape and full system compromise when chained with other exploits. The update is far more than a single-bug patch. In total, the release ships 74 security fixes, including 17 Critical vulnerabilities. The overwhelming majority are use-after-free (UAF) defects — a memory-corruption class that remains the most persistent thorn in browser security. Ozone, Aura, and Views (core rendering and UI frameworks) Bluetooth and Gamepad (hardware interface layers) TabStrip, Autofill, and Web Apps (browser feature components) Printing, Compositing, and Proxy libyuv (integer overflow, CVE-2026-11640) UAF vulnerabilities occur when a program continues using a memory pointer after the referenced memory has been freed. Exploiting these flaws can allow attackers to corrupt memory, execute arbitrary code, or crash the browser entirely. High-Severity Flaws Across Core Subsystems The high-severity category includes an additional 57 vulnerabilities affecting nearly every major Chrome subsystem, including V8 (CVE-2026-11649/11650), WebRTC (CVE-2026-11667), PDF (CVE-2026-11670), ServiceWorker (CVE-2026-11656/11694), Extensions (CVE-2026-11652/11653), Network (CVE-2026-11651/11677), and GPU (CVE-2026-11672). The range of affected components signals a sweeping internal security audit conducted by Google’s own researchers between late April and late May 2026. Notably, CVE-2026-11662 introduces a Type Confusion in Bindings, and CVE-2026-11688 flags an Object Lifecycle Issue in SVG — both classes of bugs commonly leveraged in browser exploit chains. The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux. Google notes the rollout will reach users over the coming days and weeks, so manual updating is strongly recommended rather than waiting for the automatic push. How to Update Chrome Immediately Users should not wait for the automatic rollout. To manually update: Open Chrome and click the three-dot menu (⋮) in the top-right corner Navigate to Help → About Google Chrome Chrome will check for updates automatically — click Relaunch once the update downloads Enterprise administrators should prioritize pushing version 149.0.7827.102/103 across managed endpoints immediately given the confirmed in-the-wild exploitation of CVE-2026-11645. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins Microsoft Unveils Always-On AI Agent Scout to Integrate With Teams, Outlook, and More Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server SPF, DKIM, DMARC Passed. Malicious Link Passes Every Authentication Check, But CyberCheck360 Caught It Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! Latest News Cyber Security News New Browser-in-the-Browser Phishing Attack to Steal Microsoft 365 Logins Cyber Security Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days Cyber Security News Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers Cyber Security News Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity Cyber Security News North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗