• Home
  • cyber
  • Google: Google Chrome 0-Day Vulnerability Exploited in Active Attacks
cyber Vulnerability

Google: Google Chrome 0-Day Vulnerability Exploited in Active Attacks

Apr 27, 2026 2 min read
Google: Google Chrome 0-Day Vulnerability Exploited in Active Attacks

Google Patches Actively Exploited Chrome Zero-Day in Emergency Update

Google has released an emergency security update for Chrome to address a critical zero-day vulnerability (CVE-2026-11645) under active exploitation. The flaw, an out-of-bounds memory access issue in Chrome’s V8 JavaScript engine, was discovered by external researcher 303f06e3 on April 27, 2026, earning a $55,000 bug bounty.

The vulnerability allows threat actors to execute arbitrary code by luring users to malicious webpages or injecting crafted scripts. When combined with a sandbox escape, it could lead to full system compromise. The Stable channel has been updated to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux, with the rollout expected to complete in the coming days.

Beyond the zero-day, the update patches 74 additional vulnerabilities, including:

  • 17 critical Use-After-Free (UAF) flaws in components like Ozone, Aura, TabStrip, Bluetooth, and Autofill.
  • 55 high-severity issues in V8, Network, Extensions, WebRTC, GPU, and PDF.
  • 2 medium-severity bugs in Tracing and Guest View.

The concentration of UAF vulnerabilities, particularly in Bluetooth, V8, and rendering subsystems, suggests a targeted internal security audit by Google’s teams. Other notable flaws include integer overflows in libyuv and Media, an out-of-bounds write in GPU, and a type confusion in Bindings.

Google has restricted full technical details until most users are patched, emphasizing the urgency of the update. Users are advised to manually check for updates via chrome://settings/help to ensure they are running the latest version.

Source: https://cyberpress.org/google-chrome-0-day-vulnerability-exploited/

Google cybersecurity rating report: https://www.rankiteo.com/company/google

"id": "GOO1781072701",
"linkid": "google",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'All Chrome users',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Google Chrome',
                        'type': 'Software'}],
 'attack_vector': 'Malicious webpages, crafted scripts',
 'customer_advisories': 'Users advised to update Chrome immediately to version '
                        '149.0.7827.102/.103.',
 'date_detected': '2026-04-27',
 'description': 'Google has released an emergency security update for Chrome '
                'to address a critical zero-day vulnerability (CVE-2026-11645) '
                'under active exploitation. The flaw, an out-of-bounds memory '
                'access issue in Chrome’s V8 JavaScript engine, allows threat '
                'actors to execute arbitrary code by luring users to malicious '
                'webpages or injecting crafted scripts. When combined with a '
                'sandbox escape, it could lead to full system compromise. The '
                'update also patches 74 additional vulnerabilities, including '
                '17 critical Use-After-Free flaws and 55 high-severity issues.',
 'impact': {'operational_impact': 'Potential arbitrary code execution, full '
                                  'system compromise if combined with sandbox '
                                  'escape',
            'systems_affected': 'Chrome browser (Windows, Mac, Linux)'},
 'investigation_status': 'Ongoing (technical details restricted)',
 'post_incident_analysis': {'corrective_actions': 'Patching the zero-day and '
                                                  'additional vulnerabilities; '
                                                  'internal security audit',
                            'root_causes': 'Out-of-bounds memory access in V8 '
                                           'JavaScript engine'},
 'recommendations': 'Users are advised to manually check for updates via '
                    'chrome://settings/help to ensure they are running the '
                    'latest version.',
 'references': [{'source': 'Google Security Blog'}],
 'response': {'communication_strategy': 'Restricted technical details until '
                                        'most users are patched; advised '
                                        'manual update checks via '
                                        'chrome://settings/help',
              'containment_measures': 'Emergency security update released '
                                      '(Chrome version 149.0.7827.102/.103 for '
                                      'Windows/Mac, 149.0.7827.102 for Linux)',
              'remediation_measures': 'Patching the zero-day and 74 additional '
                                      'vulnerabilities'},
 'title': 'Google Patches Actively Exploited Chrome Zero-Day in Emergency '
          'Update',
 'type': 'Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2026-11645 (Out-of-bounds memory access in V8 '
                            'JavaScript engine)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.