Executive Summary
CVE-2026-11645 is a critical out-of-bounds read and write vulnerability in the Google Chromium V8 JavaScript engine. The flaw allows a remote attacker to execute arbitrary code inside a sandbox via a specially crafted HTML page. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Every Chromium-based browser — including Google Chrome and Microsoft Edge — is potentially affected.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-11645 |
| Component | Google Chromium V8 JavaScript Engine |
| Type | Out-of-Bounds Read and Write |
| Attack Vector | Network (malicious web page) |
| Authentication | None required |
| User Interaction | Required (visit a crafted page) |
| CISA KEV | Yes — active exploitation confirmed |
Vulnerability Overview
What Is V8?
V8 is the open-source JavaScript and WebAssembly engine developed by Google. It is the core component responsible for executing JavaScript in Chromium-based browsers, including:
- Google Chrome
- Microsoft Edge
- Brave
- Opera
- Vivaldi
- Any application embedding the Chromium runtime (Electron apps, etc.)
Because V8 runs untrusted JavaScript from arbitrary websites, vulnerabilities in V8 are extremely high-value attack targets. The engine processes hundreds of billions of JavaScript operations per day across billions of devices.
Root Cause
CVE-2026-11645 is an out-of-bounds (OOB) read and write vulnerability — a class of memory corruption bug that occurs when a program accesses memory locations outside the intended buffer boundaries.
In V8, this type of vulnerability typically arises from:
- Type confusion — the engine incorrectly interprets the type of a JavaScript object, allowing mismatched memory access
- Integer overflow — arithmetic errors in buffer size calculations produce incorrect boundaries
- JIT compiler bugs — the Just-In-Time compiler optimizes code in a way that eliminates safety checks, opening a memory window for exploitation
An attacker exploiting an OOB read can leak sensitive memory contents (including addresses that defeat ASLR). An OOB write can corrupt memory structures to redirect code execution.
Sandbox Implications
Modern browsers isolate renderer processes in a sandbox that restricts access to the operating system. CVE-2026-11645 allows code execution within the renderer sandbox. While this does not immediately grant full OS access, a renderer compromise is typically chained with a second vulnerability (a sandbox escape) to achieve full system compromise.
The CISA KEV listing and confirmed active exploitation strongly suggest this vulnerability is being used in an exploitation chain.
Affected Products
| Product | Affected |
|---|---|
| Google Chrome | All versions prior to patched release |
| Microsoft Edge (Chromium) | All versions prior to patched release |
| Brave Browser | Chromium-based — update required |
| Opera | Chromium-based — update required |
| Electron-based applications | May be affected depending on embedded Chromium version |
Exploitation Mechanics
Attack Chain
1. Attacker hosts or injects a crafted HTML page containing malicious JavaScript
2. Victim visits the page in an unpatched Chromium-based browser
3. V8 processes the JavaScript — OOB read leaks memory layout (ASLR defeat)
4. OOB write corrupts V8 internal structures
5. Attacker achieves arbitrary code execution inside the renderer sandbox
6. (Typical) Second exploit (sandbox escape) escalates to OS-level accessDelivery Vectors
- Drive-by download — victim visits a malicious or compromised website
- Malvertising — malicious ad networks serve the exploit page
- Spear phishing — targeted links sent via email or messaging platforms
- Watering hole — attacker compromises a legitimate site frequented by the target
Why This Is Especially Dangerous
Universal Browser Coverage
Chromium holds approximately 65–70% of global browser market share. A single V8 vulnerability can potentially be weaponized against the majority of internet users worldwide. Unlike application-specific vulnerabilities, a browser zero-day requires no target software installation — just a web visit.
Low User Interaction Required
The exploit requires only that the victim visit a crafted HTML page. No file download, no macro execution, no click-through confirmation. Phishing lures are highly effective because the payload is the page itself.
CISA KEV Confirmed
CISA's addition of this CVE to the KEV catalog on June 9, 2026, confirms that threat actors are actively using this vulnerability in real-world attacks. Historical patterns show that V8 vulnerabilities are frequently exploited by:
- Nation-state actors for targeted espionage
- Ransomware operators as initial access vectors
- Commercial spyware vendors (e.g., NSO Group-style capabilities)
Immediate Remediation
Update Your Browser Now
Google Chrome: Settings → Help → About Google Chrome — auto-update if enabled, or restart the browser to apply a pending update.
Microsoft Edge: Settings → Help and feedback → About Microsoft Edge — same process.
Verify Your Version
Check the patched version number from the vendor's security advisory. Any version below the patched release is vulnerable.
For Enterprises
- Force browser updates via Group Policy (Chrome) or Intune/SCCM (Edge).
- Audit Electron-based applications in your environment — each embeds its own Chromium version and must be updated independently.
- Enable browser auto-updates organization-wide — consider this a non-negotiable baseline control for all endpoints.
- Review web proxy logs for suspicious domains that may indicate exploitation attempts.
For Federal Agencies
Per CISA BOD 22-01, FCEB agencies must remediate KEV-listed vulnerabilities within the prescribed deadline from the date of KEV addition (June 9, 2026). Treat this as a P1 patch cycle.
Detection
Indicators of Compromise
V8 exploits are notoriously difficult to detect at the network layer because they execute entirely in-browser. Focus detection on post-exploitation indicators:
| Indicator | Description |
|---|---|
| Unexpected child processes of browser | Renderer spawning cmd.exe, powershell, sh |
| Network connections from browser process | Browser contacting unusual IPs/domains post-visit |
| Suspicious process injection | Code injected into system processes from browser context |
| Crash telemetry | Browser crashes on specific URLs or JS patterns |
Browser Security Controls
- Enhanced Protection Mode in Chrome provides some defense-in-depth via heuristic analysis of visited URLs.
- Microsoft Defender SmartScreen in Edge can block known malicious URLs.
- Enterprise URL filtering can restrict access to newly registered or high-risk domains.
Historical Context: V8 Exploitation Trends
V8 zero-days are among the most exploited vulnerability categories year-over-year. Recent examples illustrate the pattern:
| CVE | Year | Type | Exploited By |
|---|---|---|---|
| CVE-2026-2441 | 2026 | V8 type confusion | Active exploitation (KEV) |
| CVE-2025-2783 | 2025 | Sandbox escape chain | APT (espionage campaign) |
| CVE-2024-4947 | 2024 | V8 type confusion | Active exploitation |
The consistent pattern: nation-state actors and cybercriminals acquire V8 zero-days before patches are available and exploit them in targeted or opportunistic campaigns before defenders can react.
Key Takeaways
- Critical OOB vulnerability in Chromium V8 — renderer sandbox code execution via crafted HTML
- Active exploitation confirmed by CISA KEV listing (June 9, 2026)
- Impacts all major Chromium-based browsers — Chrome, Edge, Brave, Opera, and Electron apps
- Patch immediately — browser update is the primary and most effective control
- Watch for chained exploits — sandbox escape likely accompanies this in real-world attacks