Chrome 149 Patches the Fifth Zero-Day Exploited in 2026

Google has shipped Chrome 149 to fix a high-severity zero-day vulnerability in the V8 JavaScript engine that attackers are already exploiting in the wild. The flaw, tracked as CVE-2026-11645, is the fifth actively exploited Chrome zero-day Google has patched since the start of 2026, and it lands inside a 74-fix security package now rolling out to Windows, Mac, and Linux.

The patch sits in the Stable channel as versions 149.0.7827.102 and 149.0.7827.103, but Google warned the rollout can take days or weeks to reach every machine. Users who do not manually trigger the update remain exposed to a flaw that can hijack the browser’s sandbox through a single malicious HTML page.

What the V8 Flaw Actually Does

CVE-2026-11645 is an out-of-bounds read and write weakness inside V8, the JavaScript and WebAssembly engine that powers Chrome and every Chromium-based browser. A remote attacker can trigger it by luring a target to a crafted HTML page, where normal page rendering corrupts memory in a way the browser never expected. The U.S. National Vulnerability Database entry for the flaw describes the same primitive: “Out-of-bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”

Once the corruption lands, the attacker can read and write outside the bounds of the memory buffer V8 allocated for the script, exposing data the page was never meant to see. The same access can defeat Address Space Layout Randomization, the operating system defense that randomizes where code lands in memory, making it far easier to chain the V8 bug into full code execution inside Chrome’s sandbox, according to BleepingComputer’s reading of the flaw. Google rated the issue high severity, and outside researchers have assigned it a CVSS score of 8.8, per CVE-2026-11645 details and CVSS 8.8 score.

Google has acknowledged that “an exploit for CVE-2026-11645 exists in the wild,” the same short sentence the company has used on every active zero-day advisory this year. The company is withholding the full technical write-up until a majority of users have updated.

The Researcher and the $55,000 Bounty

The bug was reported to Google on April 27, 2026 by an independent researcher who goes by the handle “303f06e3.” The Hacker News and BleepingComputer both credit the same handle with the discovery, and the fifth Chrome zero-day patched this year traces back to the same submission. Google paid the researcher a $55,000 bug bounty for the responsible disclosure, near the top of the Chrome Vulnerability Rewards Program scale for V8 memory-safety bugs.

The Register reports that 303f06e3 has previously reported other Chrome vulnerabilities, and the size of this payout suggests Google classified the V8 bug among the more serious memory-safety classes it has paid out on this year. Google does not publish a real name for the researcher, and the handle is the only public credit on the Chrome Releases advisory.

Chrome 149 Ships 74 Security Fixes

Chrome 149 carries 74 security fixes in total, according to the Chrome 149 stable channel security advisory posted this week. Sixteen of those fixes are rated Critical, with the rest split between High and Medium severities. Almost every fix in the package was reported by Google’s own internal security teams, with the V8 zero-day as the lone entry among the high-severity items credited to an outside researcher.

• 74 total security fixes in the Chrome 149 release
• 16 rated Critical by Google
• $55,000 bug bounty paid to the outside researcher
• CVSS 8.8 severity score from outside researchers
• Fifth actively exploited Chrome zero-day patched in 2026

The 16 Critical fixes cover use-after-free bugs in Ozone, File Input, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, and Web Apps, plus an integer overflow in libyuv. All were reported by Google on dates between May 25 and May 29, a five-day window that points to a coordinated batch of discoveries from the company’s automated fuzzing setup. The release blog credits AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL as the tools surfacing many of the package’s flaws.

Google has held back technical details for the V8 zero-day while users update, a standard move during active exploitation. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the advisory says, and the same restriction applies if the bug lives in a third-party library other projects also depend on. The hold-back is the reason the public NVD entry still reads as a one-paragraph summary rather than a full technical write-up.

A Fifth Zero-Day in 2026

The V8 bug is the fifth actively exploited Chrome zero-day Google has patched in 2026, matching the count BleepingComputer, The Hacker News, and SecurityWeek all reported this week. BleepingComputer notes Google fixed eight Chrome zero-days exploited in the wild across all of 2025, a twelve-month total.

The first 2026 entry came in mid-February, an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values, tracked as CVE-2026-2441. Two followed in March: an out-of-bounds write in the Skia 2D graphics library (CVE-2026-3909) and an inappropriate implementation flaw in the V8 engine itself (CVE-2026-3910). A use-after-free in Dawn, the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, was patched in April as CVE-2026-5281. CVE-2026-11645, an out-of-bounds read and write in V8, is the fifth. For more on the March emergency patch, see Google’s emergency Chrome zero-day fix from March.

Four of the five hit four different components, with V8 hit twice in the same year. Last year’s eight zero-days were reported in many cases by Google’s Threat Analysis Group, which tracks zero-day exploits used in spyware campaigns. Google has not said whether the 2026 cluster points to a coordinated discovery push or a coincidence of timing.

Other Chromium Browsers Need the Same Patch

Chrome is not the only browser built on its engine. Microsoft Edge, Brave, Opera, and Vivaldi all share the V8 JavaScript engine and the same Chromium codebase, which means the same V8 zero-day sits inside each of them until its vendor ships a rebuild. The Hacker News advises users of those four browsers to apply fixes as soon as their respective developers release them.

Chromium-based vendors typically rebase their browsers onto the new Chrome stable within days of Google’s release, so Edge, Brave, Opera, and Vivaldi users should see corresponding updates inside the same week. Anyone who relies on one of those browsers rather than Chrome should still apply the update the moment it lands, since the underlying V8 flaw is shared. For businesses that pin browsers to a specific version through a managed channel, the same lag applies, and the rebuild lands through a separate maintenance window.

Why the Auto-Update Window Matters

Chrome downloads and applies security patches automatically during normal operation, but the rollout is staggered. The Chrome Releases blog says the 149 update will roll out over the coming days/weeks, and BleepingComputer notes the same window when reporting the patch. Google does not publish a per-machine timeline for when a given installation will see the new build.

BleepingComputer found the 149 update available immediately when it checked for updates on Monday, hours after the advisory. For users who want to skip the queue, Chrome ships a built-in shortcut that pings Google’s servers and pulls the new build on demand. The same shortcut is the only way to confirm a Chrome install is on 149 today rather than sometime in the coming weeks.

The 149 update shipped the same week the public advisory went out. BleepingComputer’s check on Monday found the 149 build available on demand, even before the staged rollout reached it. The same shortcut that surfaces a build on demand is also the path Google documents for users to confirm they are on 149. For users who have not yet seen the update offered automatically, the next section walks through that manual path.

Force the Patch in Under a Minute

Chrome does not surface a “you are out of date” banner, which is why most users do not know they are running a vulnerable build. The browser checks for updates silently and applies them at the next launch, but a “next launch” can be days away on a machine that is rarely restarted. The fastest way to land on 149 today is to trigger the check by hand.

On Windows, Mac, or Linux, open the three-dot menu in the top-right corner of the Chrome window. From the menu, choose Help, then About Google Chrome. The browser will contact Google’s update servers, pull the 149 build, and prompt a relaunch to finish the install. The whole sequence takes under a minute on a normal connection.

The Hacker News walks through the same path, ending with a click on Relaunch once the build is ready. BleepingComputer confirmed the same flow on Monday, with the 149 build already waiting when it ran the check. The relaunch closes every open tab, so users with unsaved work should save first.

1. Click the three-dot menu in the top-right corner of Chrome.
2. Select Help, then About Google Chrome.
3. Wait for the browser to download version 149.0.7827.102 or 149.0.7827.103.
4. Click Relaunch to finish the install.

After the relaunch, the About page should report “Chrome 149.0.7827.102” on Windows or Linux, and “Chrome 149.0.7827.103” on Mac. If the version string is older, the update did not apply and the steps above need to run again, sometimes twice in a row. Android Chrome ships on its own release cadence and is not covered by this advisory. Android users should check the Play Store for a separate Chrome for Android update on its own schedule. Users on Microsoft Edge, Brave, Opera, and Vivaldi should wait for their respective vendors to rebase onto the new Chromium build, which typically happens within days.

Frequently Asked Questions

What is CVE-2026-11645?

CVE-2026-11645 is an out-of-bounds read and write in V8, the engine that runs JavaScript and WebAssembly inside Chrome. A crafted HTML page is enough to trigger it, and a successful hit lets the attacker run code inside Chrome’s sandbox. Google confirmed an exploit is already in use and assigned a CVSS score of 8.8.

How many zero-days has Google patched in Chrome in 2026?

Five, with the V8 fix in Chrome 149 as the latest. The year opened with CVE-2026-2441 in CSS font features in February, then CVE-2026-3909 in Skia and CVE-2026-3910 in V8 in March, then CVE-2026-5281 in Dawn in April. Google’s full-year 2025 count was eight exploited Chrome zero-days.

Do I need to update Chrome manually?

Only if you do not want to wait for the staggered rollout. Chrome’s auto-update applies security fixes at the next browser launch, but the 149 build is rolling out “over the coming days/weeks” per the Chrome Releases blog. BleepingComputer found the 149 update available the moment it manually checked on Monday, so a forced check is how to skip the queue.

Are Edge, Brave, Opera, and Vivaldi affected?

Yes. All four share the V8 engine and Chromium codebase with Chrome, so the same out-of-bounds flaw sits inside each browser until its vendor ships a rebuild. The Hacker News advises users to apply their respective vendors’ updates as soon as they appear, which typically happens within days of the Chrome release.

Is the Android version of Chrome affected?

The June 9 Chrome 149 advisory covers the desktop Stable channel only. Android Chrome ships on its own release cadence, and Google did not list an Android build in the same advisory. Android users should check the Play Store for a separate update on its own schedule.