An out-of-bounds read and write vulnerability in Google Chromium’s V8 JavaScript engine, tracked as CVE-2026-11645, allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. CISA added this to the Known Exploited Vulnerabilities catalog on June 9, 2026 with a June 23 remediation deadline. The vulnerability affects Chrome, Edge, Brave, Opera, and all Chromium-based browsers.
What Is the Vulnerability?
CVE-2026-11645 is an out-of-bounds read and write vulnerability in the V8 JavaScript engine — the core component that executes JavaScript in every Chromium-based browser. A remote attacker can craft a malicious HTML page that, when visited, triggers the vulnerability to achieve arbitrary code execution within the browser’s sandbox. No user interaction beyond visiting the page is required.
This follows the pattern of numerous V8 vulnerabilities exploited in the wild — the combination of remote reachability (just visiting a website) and sandbox escape potential makes V8 vulnerabilities highly valuable to attackers. While the vulnerability is sandboxed, it can be chained with a sandbox escape to achieve full system compromise.
- CVSS v3.1 Score: 8.8 (High — estimated)
- CISA KEV: Added June 9, 2026 — deadline June 23, 2026
Which Versions Are Affected?
- Google Chrome — all versions prior to the patched release
- Microsoft Edge — all versions prior to the patched release
- All Chromium-based browsers (Brave, Opera, Vivaldi, etc.)
What Is the Fix?
Update Chrome and all Chromium-based browsers to the latest version. Restart browsers for the update to take effect. For enterprise-managed Chrome deployments, push the update through browser management policies.
Recommendations
Update all Chromium-based browsers immediately. The KEV addition confirms active exploitation concern. Enforce browser restart policies in enterprise environments.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
