US Public Data LabU.S. public data, made readable
EN
日本語 English
High Known exploited (KEV) CVE-2026-11645

Out-of-bounds read/write in Google Chromium V8 (CVE-2026-11645) — code execution via a crafted HTML page, affecting Chrome, Edge, and more

Google Chromium V8 Added to KEV Jun 9, 2026 Federal remediation due 2026-06-23

Google's JavaScript engine "Chromium V8" has an out-of-bounds read and write vulnerability that could let a remote attacker execute arbitrary code inside the sandbox via a crafted HTML page. It can affect multiple Chromium-based browsers, including Chrome, Edge, and Opera. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).

Key facts

  • CVE IDCVE-2026-11645
  • CVSS base score8.8 HIGH
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Affected (vendor / product)Google Chromium V8
  • CWECWE-787, CWE-125
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-06-23 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Out-of-bounds read/write (CWE-787 / CWE-125) in V8, the core Chromium JavaScript engine
  • A crafted HTML page could lead to arbitrary code execution inside the sandbox
  • Affects multiple Chromium-based browsers (Chrome, Edge, Opera) — a shared engine ripples widely
  • Listed in CISA KEV = exploitation confirmed (CVSS 8.8 High)
  • Response: update each browser to the latest version (restart to apply). Deadline June 23, 2026

CVE-2026-11645 is an out-of-bounds read and write vulnerability (CWE-787: out-of-bounds write / CWE-125: out-of-bounds read) in V8, the JavaScript engine at the core of Chromium browsers. It was added to CISA's KEV catalog on June 9, 2026.

Per NVD, an attacker could execute arbitrary code inside the sandbox via a crafted HTML page. Crucially, the impact is not limited to Google Chrome: NVD states it could affect multiple browsers that use Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. Because Chromium is the shared foundation for many browsers, a single engine flaw ripples across a wide range of them.

Browsers are a front-line asset where users routinely encounter malicious sites. Out-of-bounds read/write is a classic vulnerability that can lead to code execution via memory corruption, and browser zero-days have repeatedly been exploited in targeted attacks. Even though execution is within the sandbox, the KEV listing pushes for prompt updates.

Key response: update to the latest version per each browser vendor's instructions (Chromium browsers auto-update by default, but restart the browser to ensure the update is applied). For cloud use, follow BOD 22-01. The federal civilian remediation deadline was June 23, 2026.

Why it matters

A browser flaw in the shared Chromium engine that ripples widely to Chrome, Edge, Opera, and others. For device administrators, the priorities are enforcing browser auto-updates and confirming application via restart. It reaffirms the importance of responding to browser zero-days.

FAQ

What is V8?
The JavaScript engine in Chromium browsers, used across Google Chrome and many other Chromium-based browsers.
Why are browsers other than Chrome affected?
Many browsers, such as Microsoft Edge and Opera, use Chromium as a shared foundation, so an engine flaw ripples to each of them.
What should I do?
Update each browser to the latest version. Chromium browsers auto-update by default, but it is important to restart the browser to ensure the update is applied.

Related profiles

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Google#Chrome#Browser#V8#Memory corruption

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.