Google Patches Fifth Chrome Zero-Day of 2026 as Active Exploits Target Users

Google has released emergency security updates for its Chrome browser to address a newly discovered zero-day vulnerability that is already being exploited in the wild. The flaw, tracked as CVE-2026-11645, is the fifth Chrome zero-day vulnerability patched by the company since the beginning of the year.

The update is being rolled out to Chrome users across Windows, macOS, and Linux, although Google cautioned that it may take several days or even weeks before the patch reaches all users globally. Details about the release are available in Google’s Stable Channel Update for Desktop.

Active Exploitation Confirmed

Google confirmed that an exploit for CVE-2026-11645 exists in the wild, prompting the company to issue an emergency fix. However, it has not disclosed details about the attacks, the threat actors involved, or any potential targets.

The company said technical information about the vulnerability and related exploits may remain restricted until a majority of users have installed the security update.

High-Severity Flaw in Chrome’s V8 Engine

CVE-2026-11645 is classified as a high-severity vulnerability affecting Chrome’s V8 JavaScript engine. According to Google, the issue stems from an out-of-bounds read and write weakness that can be triggered through specially crafted HTML pages.

If successfully exploited, the flaw could allow attackers to execute code within Chrome’s sandbox environment. It could also expose sensitive information, crash the browser, and potentially assist attackers in bypassing security protections such as Address Space Layout Randomization (ASLR).

Fifth Zero-Day Patched This Year

The latest patch continues a busy year for Google’s security teams. The company previously fixed one actively exploited Chrome zero-day in February and another in April. Last month, Google addressed two additional zero-day vulnerabilities, bringing the total number of patched Chrome zero-days in 2026 to five.

The security fix is included in the following Chrome releases:

• Chrome 149.0.7827.102 for Windows and Linux
• Chrome 149.0.7827.103 for macOS

Users are encouraged to install the update as soon as it becomes available.

Chrome users can manually check for and install the latest update through the browser’s settings menu. The browser will also automatically download and install the update the next time it checks for updates and is restarted.

Given that the vulnerability is already being exploited in real-world attacks, security experts recommend updating immediately once the patched version becomes available.

Via BleepingComputer