CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 11, 2026

Google Chrome 0-Day Vulnerability Exploited in Active Attacks - cyberpress.org

cyberpress.org Archived Jun 11, 2026 ✓ Full text saved

Google Chrome 0-Day Vulnerability Exploited in Active Attacks cyberpress.org

Full text archived locally
✦ AI Summary · Claude Sonnet


    Google Chrome 0-Day Vulnerability Exploited in Active Attacks By Lucas Martin June 10, 2026 Categories: Cyber Security News Google has released an emergency security update for Chrome, patching a critical zero-day vulnerability (CVE-2026-5281) that is actively being exploited in the wild. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, with the rollout expected to complete over the coming days and weeks. The vulnerability currently being actively exploited is CVE-2026-11645, a high-severity out-of-bounds memory access flaw in Chrome’s V8 JavaScript engine. Google has explicitly confirmed that “an exploit for CVE-2026-11645 exists in the wild.” Google Chrome 0-Day Vulnerability Exploited  The bug was discovered by external researcher 303f06e3 on April 27, 2026, who earned a $55,000 bug bounty reward, underscoring the critical nature of the flaw. Out-of-bounds memory access vulnerabilities in V8 are particularly dangerous because the JavaScript engine is exposed to untrusted web content by default. A threat actor could weaponize this flaw by luring a target to a malicious webpage or injecting a crafted script, potentially achieving arbitrary code execution within the Chrome renderer process. When chained with a sandbox escape, such vulnerabilities can lead to full system compromise. Beyond the zero-day, this update addresses 74 security vulnerabilities in total, one of the largest single-release patch batches in recent Chrome history. The breakdown by severity is alarming: 17 Critical vulnerabilities, nearly all classified as Use-After-Free (UAF) flaws affecting components including Ozone, Aura, TabStrip, Bluetooth, Autofill, Gamepad, Printing, and Web Apps 55 high-severity flaws spanning V8, Network, Extensions, ServiceWorker, Payments, WebRTC, GPU, PDF, SVG, Dawn, and more 2 medium-severity issues in Tracing and Guest View Use-After-Free vulnerabilities are among the most exploitable classes of memory corruption. They occur when a program continues to access memory after it has been freed, allowing attackers to manipulate heap memory to redirect execution flow. CVE ID Vulnerability Type Affected Component CVE-2026-11628 Use After Free Ozone CVE-2026-11629 Use After Free Ozone CVE-2026-11630 Use After Free File Input CVE-2026-11631 Use After Free Aura CVE-2026-11632 Use After Free TabStrip CVE-2026-11633 Use After Free Bluetooth CVE-2026-11634 Use After Free Gamepad CVE-2026-11635 Use After Free Bluetooth CVE-2026-11636 Use After Free Autofill CVE-2026-11637 Use After Free Views CVE-2026-11638 Use After Free Printing CVE-2026-11639 Use After Free Compositing CVE-2026-11640 Integer Overflow libyuv CVE-2026-11641 Use After Free Bluetooth CVE-2026-11642 Use After Free Web Apps CVE-2026-11643 Use After Free Proxy CVE-2026-11644 Use After Free Views The concentration of UAF bugs across so many Chrome components, particularly in Bluetooth, V8, and rendering subsystems, signals a significant internal security audit effort by Google’s own teams, who reported the majority of these bugs between May 25–30, 2026. Notable additional flaws include integer overflows in libyuv and Media (CVE-2026-11640, CVE-2026-11655, CVE-2026-11678), an out-of-bounds write in GPU (CVE-2026-11672), and a Type Confusion in Bindings (CVE-2026-11662) all of which carry serious exploitation potential. How to Update Chrome Don’t wait for the automatic rollout. According to Google’s advisory, to force a manual update: Open Chrome and navigate to chrome://settings/help Chrome will automatically check for and download the latest update Click Relaunch to apply the update Confirm you are running version 149.0.7827.102 or higher Given the confirmed in-the-wild exploitation of CVE-2026-11645, all Chrome users, especially those in enterprise environments, should treat this update as Priority 1. Full bug details remain restricted until the majority of users are patched. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Lucas Martinhttps://cyberpress.org/ Lucas Martin is an Investigative cybersecurity journalist dedicated to breaking stories on ransomware cartels, data breaches, and state-sponsored espionage. Recent Articles Attackers Weaponize AWS and Google Logs for Stealthy Exfiltration AWS June 11, 2026 GitLab Patches Multiple Flaws Enabling Account Takeover Attacks Cyber Security News June 11, 2026 Public PoC Released for Linux Kernel Guest-to-Host Escape Flaw Cyber Security News June 11, 2026 JDY Botnet Expands With 1,500 Compromised Devices Targeting Fresh Vulnerabilities Botnet June 11, 2026 Ivanti Command Injection Flaw Actively Exploited After PoC Release Vulnerability June 11, 2026 Related Stories AWS Attackers Weaponize AWS and Google Logs for Stealthy Exfiltration Varshini - June 11, 2026 Cyber Security News GitLab Patches Multiple Flaws Enabling Account Takeover Attacks Lucas Martin - June 11, 2026 Cyber Security News Public PoC Released for Linux Kernel Guest-to-Host Escape Flaw Lucas Martin - June 11, 2026 Botnet JDY Botnet Expands With 1,500 Compromised Devices Targeting Fresh Vulnerabilities Varshini - June 11, 2026 Cyber Security News Claude Fable 5 Jailbreak Enables Stack Exploit Generation Lucas Martin - June 11, 2026 Cyber Security News Windows Translation Framework 0-Day Enables Privilege Escalation Lucas Martin - June 10, 2026 LEAVE A REPLY Comment: Name:* Email:* Website:
    💬 Team Notes
    Article Info
    Source
    cyberpress.org
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗