ctipilot.ch

Home · Live brief · Daily brief 2026-06-10

CVE-2026-11645 — Google Chrome V8 out-of-bounds read/write exploited in the wild, added to CISA KEV

notable vulnerability discovered 2026-06-10 05:00 UTC single-source

Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))

Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08). The bug was exploited in the wild before patching and CISA added it to the KEV catalog on 9 June; per the Chrome advisory it affects Chromium-based browsers including Edge and Opera (Chrome, 2026-06-08). The KEV listing is the operational signal here — confirmed active exploitation of a one-click browser bug (T1189, T1203). Update Chrome/Edge/Opera to 149.0.7827.103+ across the estate.

“Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08).” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce cisa-kev zero-day global CVE-2026-11645