CVE-2026-11645

CVSS 8.8 HIGHEPSS 1.7%● KEVCWE-125 CWE-787

In short

A flaw in Chrome's V8 JavaScript engine allows an attacker to read and write memory outside intended boundaries through a malicious webpage, potentially executing harmful code within the browser sandbox.

Technical detail

Out-of-bounds read/write vulnerability in V8 (CWE-125, CWE-787) exploitable via crafted HTML delivered to a victim. Requires user interaction to visit a malicious page; impacts confidentiality and integrity through arbitrary code execution within sandbox confinement prior to Chrome 149.0.7827.103.

Summary generated and translated by AI from the official description.

Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Google · Chrome

public PoCs found — 3

githubgithub.com/fevar54/CVE-2026-11645-Out-of-bounds-Read-Write★ 3 githubgithub.com/0xBlackash/CVE-2026-11645★ 1 githubgithub.com/adamshaikhma/CVE-2026-11645★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html https://issues.chromium.org/issues/506689381 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-11645