CVE-2026-11645
Published: 09 June 2026
Summary
CVE-2026-11645 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 26.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2026-11645 is an out of bounds read and write in the V8 JavaScript engine in Google Chrome versions prior to 149.0.7827.103. Assigned a CVSS v3.1 score of 8.8 and mapped to CWE-125 and CWE-787, the flaw permits a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page.
An unauthenticated remote attacker can trigger the issue by convincing a user to visit a malicious web page, after which the out-of-bounds memory operations can be abused to achieve code execution within the sandbox.
Official Chrome stable channel updates require upgrading to version 149.0.7827.103 or later. The CVE is listed in the CISA known exploited vulnerabilities catalog. EPSS remains flat at 0.0547 with no material rise from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35245
Vulnerability details
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 09 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds R/W in V8 enables RCE via crafted HTML page visited by user, directly mapping to drive-by client-side exploitation.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the out-of-bounds read/write in V8.
Enforces memory-protection mechanisms that block the exact out-of-bounds read/write primitives used by the exploit.
Restricts or sandbox-controls execution of untrusted JavaScript (mobile code) that triggers the V8 flaw.