Google Fixes an Actively Exploited Chrome Zero-Day

Google has patched a high-severity Chrome vulnerability that attackers were already abusing in the wild. The flaw lets a crafted web page run arbitrary code, so updating now matters for everyone.

According to TechRadar, the bug is tracked as CVE-2026-11645 and carries a severity score of 8.8 out of 10. The same report says it is an out of bounds read and write issue in the Chrome V8 engine.

The vulnerability allows remote attackers to execute arbitrary code inside the browser sandbox. All it takes is a user opening a weaponized page in a vulnerable version of Chrome.

TechRadar notes the flaw affects versions before 149.0.7827.103. The fix is now live in the Stable Desktop channel across the major platforms.

According to TechRadar, Google released patches for Windows and Linux at 149.0.7827.102 and Mac at 149.0.7827.103. The advisory confirmed that an exploit for the bug already exists in the wild.

Google declined to share attack details in its advisory. The company said access may stay restricted until most users have installed the fix.

Forbes reports the update fixes 72 security flaws in total, with 17 rated critical. The zero-day itself is high severity rather than critical, but it should not be ignored.

According to Forbes, a researcher known as 303f06e3 found the flaw and received a 55000 dollar bug bounty. The report adds that Chrome serves roughly 3.5 billion users worldwide.

Forbes says the Android update is already available through the Play Store. Desktop updates roll out automatically, though that process can take a few days to reach everyone.

Because the rollout is gradual, manually triggering the update is the safer move. Users who wait risk leaving the active exploit unpatched for longer than necessary.

To check your version, open the menu and select Help then About Google Chrome. Chrome will download and install any available update, then prompt a restart.

This update follows a far larger Chrome patch earlier in the month. Forbes notes the June 2 release fixed 429 vulnerabilities, the biggest in the browser's history.

Forbes attributes that surge partly to AI tooling speeding up vulnerability discovery. The smaller follow-up update is more urgent because it closes a live attack path.