~/f4n6 $ grep -r "Google patches new Chrome zero-day flaw exploited in the wild" ./investigations/ --include="*.md"

Google patches new Chrome zero-day flaw exploited in the wild

Jeff Davies 09 Jun 2026 4 min read

Issuer: Adverse Trace Date issued: 2026-06-09 Version: 1.0

1. Executive summary

Google has released emergency patches for CVE-2026-11645, a critical zero-day vulnerability in the Chrome V8 JavaScript engine actively exploited in the wild. This flaw allows remote attackers to perform out-of-bounds read/write operations via crafted HTML pages, potentially leading to sandbox escape and arbitrary code execution. For EMEA financial services, the immediate risk involves compromise of endpoint integrity and data exfiltration through standard web browsing activity, necessitating urgent patching to maintain DORA-compliant ICT risk management. This marks the fifth Chrome zero-day addressed by Google in 2026, indicating a sustained campaign targeting browser vulnerabilities.

2. Regulatory framing

Regulation Article Practical Impact for Financial Entities
DORA Art. 17 Requires immediate identification and classification of this ICT vulnerability within the entity's risk landscape.
DORA Art. 19 Mandates the application of the patch (remediation) as a "timely" measure to mitigate the identified risk.
DORA Art. 28-30 Triggers potential major incident reporting obligations if exploitation leads to significant operational disruption or data breach.
NIS2 Art. 21(2)(d) Requires implementation of policies for vulnerability handling and disclosure; failure to patch constitutes a governance gap.
NIS2 Art. 23 Mandates early warning to CSIRTs if the exploitation results in a significant incident affecting essential services.
UK NIS Reg. 11 Requires relevant digital service providers to take appropriate and proportionate technical measures to manage risks.

3. Attack chain

Based on available technical disclosures, the confirmed attack vector is as follows:

  1. Delivery: The victim is directed to a malicious website hosting a crafted HTML page.
  2. Trigger: The HTML page executes specific JavaScript sequences targeting the V8 engine.
  3. Exploitation: The script triggers an out-of-bounds read/write vulnerability (CVE-2026-11645), causing heap corruption.
  4. Impact: Successful exploitation allows the attacker to bypass Address Space Layout Randomization (ASLR) and execute arbitrary code within the Chrome sandbox.
  5. Escape (Potential): While the primary flaw is in the V8 engine, related critical advisories note that inappropriate implementation in the GPU component (prior to version 149.0.7827.53) can allow for sandbox escape, though a direct link between this specific zero-day and a confirmed GPU escape in the wild is not explicitly detailed in the source material.

Unconfirmed Steps: The specific delivery mechanism (e.g., phishing email, malvertising, compromised legitimate site) and the post-exploitation payload (e.g., ransomware, infostealer, APT toolkit) remain unconfirmed. Google has restricted access to bug details and exploit links until a majority of users are updated. Attribution to a specific threat actor is currently unknown.

4. Mitigation & containment

P1: Immediate (Within 24h) * Patch Deployment: Force update Google Chrome to the following versions or later: * Windows: 149.0.7827.102 * Mac: 149.0.7827.103 * Linux: 149.0.7827.102 * Command (Windows): chrome.exe --force-update (or deploy via SCCM/Intune using the MSI installer for the above versions). * Command (Linux): sudo apt-get update && sudo apt-get install google-chrome-stable * Network Containment: If immediate patching is not feasible for all endpoints, implement network-level blocking of known malicious domains (none currently public) or restrict access to untrusted web categories via Web Proxy/Firewall until patching is complete.

P2: Short-term (Within 72h) * Verification: Audit endpoint management logs to verify 100% compliance with the patched version numbers listed above. * Browser Policy: Enforce Group Policy Objects (GPO) or MDM profiles to disable automatic installation of extensions and restrict JavaScript execution on untrusted sites where operationally feasible.

P3: Medium-term (Within 7 days) * Monitoring Enhancement: Update EDR/SIEM rules to detect anomalies in chrome.exe or chromium.exe processes, specifically looking for child process spawning or unexpected network connections initiated by the browser process. * User Awareness: Issue a targeted advisory to staff regarding the risks of clicking unsolicited links, emphasizing that this vulnerability is triggered by visiting malicious web pages.

5. Indicators of compromise

No specific file hashes, domains, or IP addresses associated with the active exploitation of CVE-2026-11645 have been publicly released. Google has explicitly restricted access to these details.

type value confidence source
CVE CVE-2026-11645 High BleepingComputer / Google
Version (Win/Linux) < 149.0.7827.102 High BleepingComputer
Version (Mac) < 149.0.7827.103 High BleepingComputer
Component V8 JavaScript Engine High BleepingComputer 
cve  CVE-2026-11645
version_less_than  149.0.7827.102
version_less_than_mac  149.0.7827.103
component  V8 JavaScript Engine

6. Detection

As no specific file hashes, URLs, or unique string signatures for the exploit kit have been released, signature-based detection of the exploit is not currently possible. However, behavioral detection can be tuned to identify potential exploitation attempts or post-exploitation activity.

YARA Rule: Note: Due to the lack of public static strings (hex patterns, mutexes, filenames) for this specific zero-day, a reliable YARA rule for the exploit binary cannot be constructed without fabricating indicators. Entities should rely on the version check logic below.

Sigma Rule (Behavioral): This rule detects potential exploitation attempts by monitoring for Chrome processes spawning unexpected children or accessing sensitive system paths, which may indicate a successful sandbox escape following the V8 exploitation.

title: Potential Chrome Zero-Day Exploitation Activity
id: 8f3b2a1c-9d4e-4f5a-b6c7-1234567890ab
status: experimental
description: Detects suspicious behavior from Google Chrome that may indicate successful exploitation of CVE-2026-11645 (V8 OOB Read/Write) leading to sandbox escape.
author: Adverse Trace
date: 2026-06-09
references:
    - https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/
    - CVE-2026-11645
logsource:
    category: process_creation
    product: windows
detection:
    selection_chrome_spawn:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\chromium.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\bash.exe'
        condition: selection_chrome_spawn
    selection_chrome_sensitive_access:
        Image|endswith:
            - '\chrome.exe'
            - '\chromium.exe'
        TargetFilename|contains:
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
            - '\Windows\System32\config'
            - '\Users\Public\Documents'
        condition: selection_chrome_sensitive_access
    filter_false_positives:
        CommandLine|contains:
            - '--type=renderer'  # Legitimate Chrome renderer processes
            - '--type=gpu-process'
        condition: not filter_false_positives
condition: selection_chrome_spawn or selection_chrome_sensitive_access
tags:
    - attack.initial_access
    - attack.execution
    - cve.2026-11645
    - dora.art17

7. Sources

  • BleepingComputer, "Google patches new Chrome zero-day flaw exploited in the wild", https://www.bleepingcomputer.com/news/security/google-patches-fifth-chrome-zero-day-bug-exploited-in-attacks-this-year/, 2026-06-09.
  • SecurityWeek, "Google Patches 5th Chrome Zero-Day Exploited in 2026", https://www.securityweek.com/google-patches-5th-chrome-zero-day-exploited-in-2026/, 2026-06-09.
  • GitHub Security Advisories, "Inappropriate implementation in GPU in Google Chrome", https://github.com/advisories/GHSA-vgfx-3p75-wqcx, Accessed 2026-06-09.

8. Adverse Trace position

We assess the severity of CVE-2026-11645 as Critical due to confirmed active exploitation and the high prevalence of Chrome within EMEA financial sector endpoints. The combination of V8 engine memory corruption and potential GPU sandbox escape primitives presents a tangible risk of full endpoint compromise via drive-by download attacks. Clients must treat this as a priority incident under DORA Article 19; reliance on automatic updates is insufficient given the "in the wild" status. Adverse Trace will continue to monitor for the release of restricted exploit details and specific IOCs, updating this advisory immediately upon availability.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies