Active Exploitation Alert: Google Chrome 151 Security Update Fixes 382 Vulnerabilities, Including Actively Exploited CVE-2026-11645

Active Exploitation Alert: Google Chrome 151 Security Update Fixes 382 Vulnerabilities, Including Actively Exploited CVE-2026-11645

Executive Summary

Google has released a critical security update for Google Chrome, version 151, addressing an unprecedented 382 vulnerabilities. This release is of paramount importance for all organizations and individuals utilizing Google Chrome across Windows, macOS, Linux, Android, iOS, and Chromium-based browsers. The vulnerabilities span a spectrum of severities, including 15 critical, 67 high, 169 medium, and 131 low-severity issues. Many of these flaws were discovered internally by Google, with a significant uptick attributed to AI-driven vulnerability discovery. The majority of vulnerabilities impact the renderer process and can be exploited via crafted web content, potentially resulting in remote code execution (RCE) and sandbox escapes. Notably, at least one vulnerability (CVE-2026-11645) is confirmed by CISA as being actively exploited in the wild, underscoring the urgency of immediate patching.

Technical Information

The Google Chrome 151 update addresses a wide array of vulnerabilities, most of which are rooted in memory safety issues such as use-after-free, out-of-bounds read/write, type confusion, and uninitialized use. These vulnerabilities are particularly dangerous as they can be triggered by malicious web content, allowing attackers to execute arbitrary code within the browser’s renderer sandbox. In certain scenarios, successful exploitation can lead to sandbox escapes, granting attackers elevated privileges on the host system.

A significant portion of the vulnerabilities were identified through Google’s internal security research, leveraging advanced fuzzing and AI-based static analysis. This has resulted in a notable increase in the volume of discovered vulnerabilities, reflecting both the complexity of the browser’s codebase and the evolving sophistication of automated vulnerability discovery tools.

Example Vulnerabilities

CVE-2026-3931 is a heap buffer overflow in Skia, the graphics engine used by Google Chrome. Exploitation of this vulnerability via crafted HTML can result in remote code execution. The vulnerability is classified as high severity (CVSS 8.8) and is tracked under CWE-787 (Out-of-bounds Write) and CWE-122 (Heap-based Buffer Overflow).

CVE-2026-11645 is an out-of-bounds read and write vulnerability in Chromium V8, the JavaScript engine powering Google Chrome. This vulnerability is confirmed by CISA as being actively exploited in the wild (added to the KEV catalog on June 9, 2026). It allows remote attackers to execute arbitrary code inside the browser sandbox via a crafted HTML page. The required action is to apply vendor mitigations immediately or discontinue use if mitigations are unavailable.

CVE-2026-5281 is a use-after-free vulnerability in Dawn, a component of the renderer process. This flaw can be leveraged to compromise the renderer and potentially escalate privileges if chained with other vulnerabilities.

Attack Surface and Exploitation

The primary attack vector for these vulnerabilities is malicious web content delivered through phishing emails, compromised websites, or malicious advertisements. Attackers exploit memory corruption bugs to achieve code execution within the renderer process. In advanced attack chains, these vulnerabilities are combined with sandbox escape exploits to achieve full system compromise.

MITRE ATT&CK Mapping

The vulnerabilities align with the following MITRE ATT&CK techniques: T1203 (Exploitation for Client Execution), where attackers exploit browser vulnerabilities to execute code on the victim’s machine, and T1068 (Exploitation for Privilege Escalation), where sandbox escapes are leveraged for elevated access.

Exploitation in the Wild

According to CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2026-11645 is confirmed as being actively exploited in the wild, with CISA adding it to the KEV catalog on June 9, 2026. This vulnerability affects Google Chrome and other Chromium-based browsers, including Microsoft Edge and Opera. The exploitation involves remote code execution via crafted HTML, and organizations are required to apply mitigations per vendor instructions or discontinue use if mitigations are unavailable.

For the remaining vulnerabilities addressed in Google Chrome 151, there is currently no public evidence of active exploitation. However, the prevalence of use-after-free and out-of-bounds vulnerabilities in exploit kits and their historical targeting by threat actors means the risk of future exploitation remains high.

APT Groups using this vulnerability

While there is no direct attribution of the Chrome 151 vulnerabilities to specific Advanced Persistent Threat (APT) groups as of this report, historical patterns indicate that groups such as APT28 (Fancy Bear) and APT41 have previously exploited Google Chrome zero-days for initial access and privilege escalation. These groups are known for their sophisticated exploitation of browser vulnerabilities in targeted attacks against government, technology, and critical infrastructure sectors. The confirmed exploitation of CVE-2026-11645 increases the likelihood that state-sponsored and financially motivated actors will attempt to weaponize similar vulnerabilities in the near future.

Affected Product Versions

The following product versions are affected and require immediate updating:

Google Chrome for Windows, Mac, and Linux: Versions prior to 151.0.7990.70 Google Chrome Extended Stable Channel: Versions prior to 151.0.7990.70 Chromium open-source builds: Versions prior to 151.0.7990.70 ChromeOS: Versions prior to 151.0.7990.70 (where Chrome browser is bundled) Chrome for Android: Versions prior to 151.0.7990.70 (pending staged rollout confirmation) Chrome for iOS: Versions prior to 151.0.7990.70 (pending staged rollout confirmation)

Organizations should verify their deployment inventory and ensure all instances of Google Chrome and Chromium-based browsers are updated to version 151.0.7990.70 or later.

Workaround and Mitigation

The primary mitigation is to update all instances of Google Chrome and Chromium-based browsers to version 151.0.7990.70 or later. Organizations should enforce automated browser update policies and monitor for successful patch deployment across all endpoints. Where immediate updating is not feasible, consider restricting access to untrusted web content and disabling JavaScript execution in high-risk environments.

CISA’s required action for CVE-2026-11645 is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional recommendations include monitoring for unusual browser process behavior, unexpected child processes, and suspicious network connections originating from Google Chrome. Regularly review patch management cycles for web browsers and ensure that all security controls are aligned with current threat intelligence.

Indicators of Compromise

The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise (IOCs) specific to the Chrome 151 vulnerabilities were available.

References

QPulse: Google Patches 382 Vulnerabilities in Chrome 151 SecurityWeek: Google Patches 382 Chrome Vulnerabilities NVD: CVE-2026-3931 Chromium Release Notes CVE-2026-11645 Exploitation Report CVE-2026-5281 NVD Entry Reddit: Chrome team ships the most ever security vulnerability fixes in a single update Twitter: The latest Chrome security update patches 382 vulnerabilities

Rescana is here for you

Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated risk assessments, and actionable intelligence. For any questions or further information, we are happy to assist at info@rescana.com.