The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning after adding a newly identified Google Chromium zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
The flaw, tracked as CVE-2026-11645, resides in the Chromium V8 JavaScript engine and carries serious implications for enterprises and individual users relying on any Chromium-based browser.
CVE-2026-11645 is classified under CWE-787 (Out-of-Bounds Write) and CWE-125 (Out-of-Bounds Read), two memory corruption weaknesses that have historically been among the most dangerous in browser environments.
The vulnerability can be triggered when a user visits a specially crafted HTML page, requiring no additional user interaction beyond navigation a low-friction attack vector that significantly elevates risk.
The flaw targets Chromium’s V8 engine, the high-performance JavaScript runtime embedded in virtually every modern Chromium-based browser.
Out-of-bounds memory access vulnerabilities in V8 are particularly severe because they allow attackers to corrupt internal memory structures, potentially undermining the integrity of the browser’s execution environment.
Because CVE-2026-11645 is rooted in the shared Chromium codebase, the attack surface extends well beyond Google Chrome.
Microsoft Edge, Opera, Brave, Vivaldi, and a wide range of enterprise-deployed Chromium-based applications are all potentially affected. This cross-browser exposure significantly amplifies the threat, creating risk across both consumer and corporate environments at scale.
CISA added CVE-2026-11645 to the KEV catalog on June 9, 2026, a move that signals confirmed real-world exploitation rather than theoretical risk. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided mitigations no later than June 23, 2026.
While full technical details of the active exploit chain have not been publicly disclosed a common practice to limit further weaponization CISA’s KEV listing alone represents a strong threat signal for all organizations, not just federal entities.
Although current exploitation is believed to be contained within the browser’s sandboxed environment, security researchers warn against treating this as a significant limiting factor.
Threat actors frequently chain sandbox-bound vulnerabilities with separate privilege-escalation or sandbox-escape exploits to achieve full system compromise. The history of Chromium-based zero-days shows a consistent pattern of such chained attacks in targeted intrusion campaigns.
No confirmed link between CVE-2026-11645 and ransomware operators has been established at this time. However, browser-based initial access vulnerabilities of this nature have historically been favored by both financially motivated groups and nation-state APT actors conducting spear-phishing and watering hole operations.
Recommended Mitigations
- Update all Chromium-based browsers to the latest available version immediately
- Enable automatic updates across enterprise browser deployments
- Implement browser isolation technology to limit exposure on sensitive systems
- Apply web content filtering and restrict access to untrusted or unclassified web properties
- Review endpoint detection and response (EDR) logs for anomalous browser process behavior
- Discontinue use of affected products if patches remain unavailable, per CISA guidance
Organizations should treat CVE-2026-11645 as a critical-priority patch, given active exploitation, the breadth of affected products, and the demonstrated attacker interest in browser engines as initial access vectors.
No Comment! Be the first one.