.webp)
Google pushed an emergency security update for Chrome today, June 9, 2026. Buried in a release fixing 74 vulnerabilities is one that is already being used against real users: CVE-2026-11645, a high-severity zero-day in Chrome's V8 JavaScript engine with a CVSS score of 8.8 out of 10.
This one warrants immediate action. Here's what it is, who is at risk, and exactly how to check every device in your office.
What CVE-2026-11645 Actually Is
V8 is the JavaScript engine inside Chrome. It runs code on every single web page you load. CVE-2026-11645 is an out-of-bounds memory access flaw in V8 - meaning the engine can be tricked into reading or writing data outside the memory space it is supposed to touch.
The practical consequence: a remote attacker can execute arbitrary code inside Chrome's sandbox just by getting someone to visit a crafted HTML page. No download prompt. No suspicious attachment to open. Just loading a page in the browser.
As BleepingComputer reported, this class of bug can also be chained with other vulnerabilities to bypass ASLR (Address Space Layout Randomization), one of the core memory protection mechanisms in modern operating systems. That makes it more dangerous than a standalone sandbox escape - it can serve as the first step in a longer attack chain targeting the underlying system.
Google confirmed in its official advisory that "an exploit for CVE-2026-11645 exists in the wild," which is the company's way of saying attacks are already happening. Google intentionally held back technical details to buy time for users to patch before attackers can reverse-engineer the fix and develop more widespread exploits.
How to Check if Your Chrome Is Patched
The patched version numbers are:
- Windows: 149.0.7827.102
- macOS: 149.0.7827.103
- Linux: 149.0.7827.102
Checking is straightforward:
- Open Chrome and click the three-dot menu in the top-right corner
- Go to Help > About Google Chrome
- Chrome will automatically check for and install any pending update
- After it installs, click Relaunch to apply it
If the version showing on that screen is 149.0.7827.102 or higher (Windows/Linux) or 149.0.7827.103 or higher (macOS), you're covered. If it's lower, update now and relaunch.
One thing that trips people up: Chrome downloads updates in the background, but those updates do not take effect until the browser is relaunched. Employees who leave Chrome open for days or weeks at a stretch may have the update downloaded but not applied. A full close and reopen is required.
It Is Not Just Chrome - Check Edge, Brave, and Opera Too
V8 is not exclusive to Google Chrome. It is the JavaScript engine at the core of every Chromium-based browser, which includes:
- Microsoft Edge (installed by default on every Windows 10 and Windows 11 machine)
- Brave
- Opera
- Vivaldi
All of these browsers share the same underlying V8 engine. Each vendor needs to pull in Google's patch and release their own update. Microsoft is typically fast with Edge given the security implications, but the timing varies. If your office uses any of these browsers, check their update channels as well.
For Microsoft Edge: go to Settings > Help and feedback > About Microsoft Edge to trigger a check.
The Bigger Picture: Five Chrome Zero-Days in Six Months
CVE-2026-11645 is the fifth actively exploited Chrome zero-day patched by Google since January 2026, as The Hacker News reported. The previous four were:
- CVE-2026-2441 - Iterator invalidation bug in CSS font features, patched February
- CVE-2026-3909 - Out-of-bounds write in Skia graphics library, patched March
- CVE-2026-3910 - Inappropriate implementation in V8, patched March
- CVE-2026-5281 - Use-after-free in Dawn (WebGPU), patched April
That is roughly one actively exploited zero-day per month. The pattern reflects two things happening simultaneously: security researchers are finding and responsibly disclosing bugs faster than ever, and sophisticated threat actors are doing the same - except without the disclosure part.
Chrome's auto-update mechanism is one of the best in the software industry, but it only works if browsers actually get relaunched. In a business environment where users keep Chrome pinned open 24/7, those updates can sit in a "downloaded but not applied" state for days. That window is where attackers operate.
What IT Teams Should Do Right Now
If you manage IT for your organization, here is a practical checklist for today:
1. Push the update via your endpoint management tool
If you have a centralized endpoint management platform (Intune, JAMF, Workspace ONE, etc.), push a Chrome policy update or force-relaunch remotely. Do not rely on end users to click "Relaunch" on their own.
2. Verify the version fleet-wide
Run a version inventory across your endpoints. Any machine still on a Chrome version below 149.0.7827.102 needs to be flagged and updated. This is a good practice after any actively exploited zero-day regardless of browser.
3. Check Edge on all Windows machines
Windows machines ship with Edge installed and often running. Even if your company standardizes on Chrome, Edge may be running in the background or used occasionally by employees. Verify Edge is on the latest version as well.
4. Remind employees about relaunching
A quick internal note - email, Slack, Teams, whatever your company uses - asking everyone to close and reopen Chrome goes a long way. Most employees have no idea that browser updates need a relaunch to take effect. A one-sentence message from IT prevents a lot of exposure.
5. Review browser update policies
This is a good moment to look at whether your environment enforces a maximum Chrome version age. Google recommends updating within a week of major releases. Some organizations run Chrome in managed mode through group policy, which can delay updates if not configured correctly. Make sure your settings are not inadvertently blocking timely patching.
Why Browser Security Is Part of Your Overall Security Posture
Browsers have become the primary attack surface for most businesses. The days when the main threat vector was a malicious email attachment are not gone, but browser-based exploits are increasingly common because browsers touch everything - internal apps, cloud platforms, SaaS tools, web-based email, and external sites.
A compromised browser on a single employee's machine can expose stored credentials, session tokens, and any data passing through the browser. In environments with single sign-on (SSO) or web-based access to critical systems, that is a significant foothold for an attacker.
Keeping browsers patched quickly is one of the higher-ROI security habits a business can build. It does not require expensive tooling - just a consistent process. The challenge is enforcement at scale. That's where having a vulnerability management process and endpoint visibility makes a measurable difference.
For businesses that do not have centralized IT management in place, patches like this one often get missed simply because there's no system to catch them. A managed IT services provider handles this as part of regular operations - monitoring for new vulnerabilities, pushing patches, and verifying deployment across all endpoints.
One More Thing: The Relaunch Prompt You May Already Have
If Chrome has already downloaded the update but is waiting for a relaunch, you'll see a small notification in the top-right corner of the browser - either an arrow icon or a colored dot. Green means the update has been available for less than 2 days. Orange means 4 days. Red means it has been waiting for more than a week.
If any of your employees have a red or orange indicator on Chrome right now, that means they've had a pending security update for days and just have not relaunched. This vulnerability is a concrete reason to act on those indicators today.
If you want a hand getting your patch management process tightened up - or just want someone to verify your fleet is updated after today's news - we're happy to help. Reach us at (949) 381-1010 or through our contact page.
Frequently Asked Questions
What versions of Chrome are affected by CVE-2026-11645?
All versions of Chrome prior to 149.0.7827.102 on Windows and Linux, and prior to 149.0.7827.103 on macOS, are affected. Update to these versions or higher and relaunch the browser to apply the fix.
Does this vulnerability affect Chrome on Android or iOS?
Google's emergency advisory focused on desktop versions. Check the Google Play Store and App Store for pending Chrome updates on mobile as a precaution, but the primary exposure risk is on desktop.
If Chrome is set to auto-update, am I protected?
Auto-update downloads the patch automatically but it does not take effect until Chrome is fully closed and reopened. If employees leave Chrome running continuously, the update may be downloaded but not yet applied. Close and relaunch Chrome for the patch to become active.
Does an attacker need to trick someone into clicking something?
No. The exploit targets V8's memory handling during JavaScript execution, which happens automatically when a page loads. Attackers typically deliver this through malicious ads, compromised websites, or phishing links leading to attacker-controlled pages - no interaction beyond visiting the page is required.
Should we have a formal process for responding to browser zero-days?
For most businesses with 10 or more employees, yes. The minimum viable process is: a way to hear about critical vulnerabilities quickly (subscribing to CISA's Known Exploited Vulnerabilities feed, BleepingComputer, or Hacker News works well), a way to push patches without relying on users, and a way to verify deployment. Our vulnerability management services cover exactly this. If you want to talk through what that looks like for your team, reach out here.
