CVE-2026-11645
HIGH · 8.8 KEV EPSS 0.7%Urgent vendor patch, in-the-wild claims, and coordinated media coverage signal real attack, though KEV listing absent.
What: Out-of-bounds read/write in V8 JavaScript engine in Google Chrome prior to 149.0.7827.103; allows remote code execution via crafted HTML; CVSS 8.8 HIGH.
Why it matters: Google released a patch the same day this CVE was published (2026-06-09), and multiple sources report active in-the-wild exploitation. No KEV listing yet, but vendor urgency and defender chatter indicate real weaponization. V8 bugs affecting billions of Chrome users carry immediate triage weight.
Where it's seen: Coordinated coverage across Help Net Security and The Hacker News; social posts emphasize "zero-day exploited in the wild" and urgent patching. Posts cite Chrome 149.0.7827.103 as the fix. No PoC code visible in sample, but tone reflects established exploitation, not speculation.
RISK: CRITICAL — V8 RCE in Chrome, active exploitation, high CVSS, same-day patch.
Description
Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- Required
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High