Executive Summary
The latest Google Chrome 149 update (versions 149.0.7827.102 and 149.0.7827.103) addresses a critical security landscape by patching 28 vulnerabilities, many of which are classified as high or critical severity. The most significant among these is CVE-2026-11645, an out-of-bounds read/write flaw in the V8 JavaScript engine, which has been confirmed as actively exploited in the wild. This advisory provides a comprehensive technical breakdown of the vulnerabilities, exploitation tactics, threat actor activity, affected product versions, and actionable mitigation guidance. The urgency of this update cannot be overstated, as exploitation of these vulnerabilities can lead to arbitrary code execution, privilege escalation, and compromise of sensitive data. All organizations using Google Chrome are strongly advised to update immediately and review their endpoint security posture.
Technical Information
The Chrome 149 update remediates a spectrum of vulnerabilities, predominantly memory safety issues such as "use-after-free" and integer overflow bugs. These flaws are distributed across multiple Chrome components, including Ozone, File Input, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, libyuv, Web Apps, Proxy, ViewTransitions, FullScreen, Network, Extensions, CameraCapture, and Media. The most critical vulnerability, CVE-2026-11645, is an out-of-bounds memory access in the V8 engine, which underpins Chrome’s JavaScript execution. This vulnerability allows remote attackers to craft malicious HTML or JavaScript payloads that, when rendered by a vulnerable browser, can achieve arbitrary code execution within the Chrome sandbox. The attack vector is remote and requires only that a user visit a compromised or malicious website.
The technical root cause of CVE-2026-11645 is improper bounds checking in the V8 engine, leading to memory corruption. This can be exploited to manipulate the browser’s memory layout, bypassing security controls and enabling the execution of attacker-controlled code. The vulnerability is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), both of which are notorious for their exploitability and potential impact.
Other notable vulnerabilities include multiple "use-after-free" conditions, where memory is accessed after it has been freed, leading to undefined behavior and potential code execution. For example, CVE-2026-11628 and CVE-2026-11629 affect Ozone, while CVE-2026-11633, CVE-2026-11635, CVE-2026-11641, CVE-2026-11698, and CVE-2026-11699 target the Bluetooth component. Integer overflows, such as CVE-2026-11640 and CVE-2026-11678 in libyuv, can also lead to buffer overflows and subsequent code execution.
The vulnerabilities patched in this release are the result of both internal audits and external security research, with several being reported through the Google Chrome Vulnerability Reward Program. The rapid response and inclusion of these fixes in the stable channel underscore the criticality of the issues and the need for immediate action by enterprise and individual users alike.
Exploitation in the Wild
CVE-2026-11645 has been confirmed as exploited in the wild, with active campaigns leveraging malicious websites to deliver exploit payloads to vulnerable Chrome browsers. The exploitation chain typically involves a drive-by compromise, where users are lured to attacker-controlled or compromised legitimate sites hosting malicious JavaScript. Upon rendering, the exploit triggers the out-of-bounds memory access in V8, enabling arbitrary code execution within the browser context.
Security researchers and threat intelligence platforms, including CISA and The Hacker News, have reported ongoing exploitation, with indicators of compromise (IOCs) including suspicious HTML/JavaScript payloads and anomalous process spawning from the Chrome browser. The CISA Known Exploited Vulnerabilities (KEV) Catalog has listed CVE-2026-11645 as requiring immediate remediation, particularly for federal agencies, but the guidance extends to all organizations due to the widespread use of Chrome.
No fully public proof-of-concept (PoC) exploit code has been released as of this writing, but exploit discussions and technical details have surfaced on social media and security forums, increasing the risk of broader exploitation.
APT Groups using this vulnerability
While there is no definitive public attribution to specific Advanced Persistent Threat (APT) groups for CVE-2026-11645 at this time, the exploitation patterns observed are consistent with both financially motivated cybercriminals and state-sponsored actors. Historically, browser zero-days have been leveraged by groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Charming Kitten, among others, for initial access and espionage operations. The technical sophistication required to exploit out-of-bounds memory vulnerabilities in V8 suggests that well-resourced threat actors are likely involved or will soon adopt this exploit into their toolkits.
Security researchers have noted that the rapid weaponization of browser vulnerabilities is a hallmark of both targeted and opportunistic campaigns, with exploitation often preceding public disclosure. Organizations in sectors such as government, finance, technology, and defense should be particularly vigilant.
Affected Product Versions
The vulnerabilities affect all versions of Google Chrome prior to 149.0.7827.103 on Windows, macOS, and Linux. Specifically, the following versions are impacted: Google Chrome 149.0.7827.102 for Windows, Google Chrome 149.0.7827.103 for Windows, Google Chrome 149.0.7827.102 for macOS, Google Chrome 149.0.7827.103 for macOS, and Google Chrome 149.0.7827.102 for Linux. Any deployment running a version lower than 149.0.7827.103 is vulnerable to the issues described in this advisory.
Workaround and Mitigation
The primary mitigation is to update Google Chrome to version 149.0.7827.103 or later on all platforms. This update is available via the standard Chrome update mechanism and should be deployed as a matter of urgency. Organizations should enforce browser updates through centralized management tools such as Google Workspace Admin Console, Microsoft Endpoint Manager, or equivalent solutions to ensure compliance across all endpoints.
In addition to patching, organizations should monitor for indicators of compromise, including browsers running outdated versions, suspicious HTML/JavaScript payloads targeting the V8 engine, and unusual process spawning from the Chrome browser context. Endpoint Detection and Response (EDR) solutions should be configured to alert on anomalous browser behavior and potential exploitation attempts.
Where immediate patching is not feasible, consider temporarily restricting access to untrusted websites, disabling JavaScript execution for high-risk users, and segmenting vulnerable endpoints from sensitive network resources. However, these are only stopgap measures and do not replace the need for prompt patching.
Refer to the CISA KEV guidance for additional compliance and mitigation steps, particularly for organizations subject to federal cybersecurity mandates.
References
Chrome Official Release Notes: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html NVD Entry for CVE-2026-11645: https://nvd.nist.gov/vuln/detail/CVE-2026-11645 CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-11645 The Hacker News Coverage: https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html HelpNetSecurity Coverage: https://www.helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645/ Reddit Discussion: https://www.reddit.com/r/pwnhub/comments/1u3w1en/googles_chrome_149_update_fixes_28_critical_bugs/ LinkedIn Post: https://www.linkedin.com/posts/dlross_chrome-149-update-patches-28-vulnerabilities-activity-7471373279149277185-coN1 SecurityWeek X Post: https://x.com/SecurityWeek/status/2065365556945940704 PoC/Exploit Discussion: https://x.com/AndreGironda/status/2064852246748381681
Rescana is here for you
At Rescana, we understand that the evolving threat landscape requires proactive and continuous risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to identify, assess, and mitigate cyber risks across their digital supply chain, ensuring resilience against both known and emerging threats. While this advisory focuses on the latest Google Chrome vulnerabilities, our platform provides comprehensive visibility and actionable intelligence to help you stay ahead of adversaries. For any questions, further technical details, or assistance with your cybersecurity program, our team is ready to help at ops@rescana.com.
