Google Chrome 0-Day Vulnerability Exploited in Active Attacks - cyberpress.org
cyberpress.orgArchived Jun 11, 2026✓ Full text saved
Google Chrome 0-Day Vulnerability Exploited in Active Attacks cyberpress.org
Full text archived locally
✦ AI Summary· Claude Sonnet
Google Chrome 0-Day Vulnerability Exploited in Active Attacks
By Lucas Martin
June 10, 2026
Categories:
Cyber Security News
Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability (CVE-2026-5281) that is actively being exploited in the wild.
The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, with the rollout expected to complete over the coming days and weeks.
The vulnerability currently being actively exploited is CVE-2026-11645, a high-severity out-of-bounds memory access flaw in Chrome’s V8 JavaScript engine. Google has explicitly confirmed that “an exploit for CVE-2026-11645 exists in the wild.”
Google Chrome 0-Day Vulnerability Exploited
The bug was discovered by external researcher 303f06e3 on April 27, 2026, who earned a $55,000 bug bounty reward, underscoring the critical nature of the flaw.
Out-of-bounds memory access vulnerabilities in V8 are particularly dangerous because the JavaScript engine is exposed to untrusted web content by default.
A threat actor could weaponize this flaw by luring a target to a malicious webpage or injecting a crafted script, potentially achieving arbitrary code execution within the Chrome renderer process. When chained with a sandbox escape, such vulnerabilities can lead to full system compromise.
Beyond the zero-day, this update addresses 74 security vulnerabilities in total, one of the largest single-release patch batches in recent Chrome history. The breakdown by severity is alarming:
17 Critical vulnerabilities, nearly all classified as Use-After-Free (UAF) flaws affecting components including Ozone, Aura, TabStrip, Bluetooth, Autofill, Gamepad, Printing, and Web Apps
55 high-severity flaws spanning V8, Network, Extensions, ServiceWorker, Payments, WebRTC, GPU, PDF, SVG, Dawn, and more
2 medium-severity issues in Tracing and Guest View
Use-After-Free vulnerabilities are among the most exploitable classes of memory corruption. They occur when a program continues to access memory after it has been freed, allowing attackers to manipulate heap memory to redirect execution flow.
CVE ID Vulnerability Type Affected Component
CVE-2026-11628 Use After Free Ozone
CVE-2026-11629 Use After Free Ozone
CVE-2026-11630 Use After Free File Input
CVE-2026-11631 Use After Free Aura
CVE-2026-11632 Use After Free TabStrip
CVE-2026-11633 Use After Free Bluetooth
CVE-2026-11634 Use After Free Gamepad
CVE-2026-11635 Use After Free Bluetooth
CVE-2026-11636 Use After Free Autofill
CVE-2026-11637 Use After Free Views
CVE-2026-11638 Use After Free Printing
CVE-2026-11639 Use After Free Compositing
CVE-2026-11640 Integer Overflow libyuv
CVE-2026-11641 Use After Free Bluetooth
CVE-2026-11642 Use After Free Web Apps
CVE-2026-11643 Use After Free Proxy
CVE-2026-11644 Use After Free Views
The concentration of UAF bugs across so many Chrome components, particularly in Bluetooth, V8, and rendering subsystems, signals a significant internal security audit effort by Google’s own teams, who reported the majority of these bugs between May 25–30, 2026.
Notable additional flaws include integer overflows in libyuv and Media (CVE-2026-11640, CVE-2026-11655, CVE-2026-11678), an out-of-bounds write in GPU (CVE-2026-11672), and a Type Confusion in Bindings (CVE-2026-11662) all of which carry serious exploitation potential.
How to Update Chrome
Don’t wait for the automatic rollout. According to Google’s advisory, to force a manual update:
Open Chrome and navigate to chrome://settings/help
Chrome will automatically check for and download the latest update
Click Relaunch to apply the update
Confirm you are running version 149.0.7827.102 or higher
Given the confirmed in-the-wild exploitation of CVE-2026-11645, all Chrome users, especially those in enterprise environments, should treat this update as Priority 1. Full bug details remain restricted until the majority of users are patched.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Share
Facebook
Twitter
Pinterest
WhatsApp
Lucas Martinhttps://cyberpress.org/
Lucas Martin is an Investigative cybersecurity journalist dedicated to breaking stories on ransomware cartels, data breaches, and state-sponsored espionage.
Recent Articles
Attackers Weaponize AWS and Google Logs for Stealthy Exfiltration
AWS June 11, 2026
GitLab Patches Multiple Flaws Enabling Account Takeover Attacks
Cyber Security News June 11, 2026
Public PoC Released for Linux Kernel Guest-to-Host Escape Flaw
Cyber Security News June 11, 2026
JDY Botnet Expands With 1,500 Compromised Devices Targeting Fresh Vulnerabilities
Botnet June 11, 2026
Ivanti Command Injection Flaw Actively Exploited After PoC Release
Vulnerability June 11, 2026
Related Stories
AWS
Attackers Weaponize AWS and Google Logs for Stealthy Exfiltration
Varshini - June 11, 2026
Cyber Security News
GitLab Patches Multiple Flaws Enabling Account Takeover Attacks
Lucas Martin - June 11, 2026
Cyber Security News
Public PoC Released for Linux Kernel Guest-to-Host Escape Flaw
Lucas Martin - June 11, 2026
Botnet
JDY Botnet Expands With 1,500 Compromised Devices Targeting Fresh Vulnerabilities
Varshini - June 11, 2026
Cyber Security News
Claude Fable 5 Jailbreak Enables Stack Exploit Generation
Lucas Martin - June 11, 2026
Cyber Security News
Windows Translation Framework 0-Day Enables Privilege Escalation
Lucas Martin - June 10, 2026
LEAVE A REPLY
Comment:
Name:*
Email:*
Website: