Cyber Resilience

CVE-2026-11645

HighCISA KEVActive ExploitationUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
09 June 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0165 73.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-11645 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 26.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2026-11645 is an out of bounds read and write in the V8 JavaScript engine in Google Chrome versions prior to 149.0.7827.103. Assigned a CVSS v3.1 score of 8.8 and mapped to CWE-125 and CWE-787, the flaw permits a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page.

An unauthenticated remote attacker can trigger the issue by convincing a user to visit a malicious web page, after which the out-of-bounds memory operations can be abused to achieve code execution within the sandbox.

Official Chrome stable channel updates require upgrading to version 149.0.7827.103 or later. The CVE is listed in the CISA known exploited vulnerabilities catalog. EPSS remains flat at 0.0547 with no material rise from its initial value.

EU & UK References

Vulnerability details

Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
09 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds R/W in V8 enables RCE via crafted HTML page visited by user, directly mapping to drive-by client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

google
chrome
≤ 149.0.7827.103

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the out-of-bounds read/write in V8.

prevent

Enforces memory-protection mechanisms that block the exact out-of-bounds read/write primitives used by the exploit.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-controls execution of untrusted JavaScript (mobile code) that triggers the V8 flaw.

References