Google Patches 5th Chrome Zero-Day Exploited in 2026

Google on Monday announced a Chrome 149 update that patches 74 vulnerabilities, including a zero-day that has been exploited in the wild.

The exploited vulnerability is tracked as CVE-2026-11645. It has been described as a high-severity out-of-bounds read/write issue in V8, allowing a remote attacker to execute arbitrary code inside a sandbox using a specially crafted HTML page.

No information is available about the attacks exploiting CVE-2026-11645, but threat actors have likely chained it with a sandbox escape flaw.

According to Google’s advisory, the zero-day was reported to the company in late April by an anonymous researcher. Based on the Google-assigned identifier ‘303f06e3’, the same expert previously reported other Chrome vulnerabilities.

The researcher has been awarded $55,000 for responsibly disclosing CVE-2026-11645.