Google on Monday announced a Chrome 149 update that patches 74 vulnerabilities, including a zero-day that has been exploited in the wild.
The exploited vulnerability is tracked as CVE-2026-11645. It has been described as a high-severity out-of-bounds read/write issue in V8, allowing a remote attacker to execute arbitrary code inside a sandbox using a specially crafted HTML page.
No information is available about the attacks exploiting CVE-2026-11645, but threat actors have likely chained it with a sandbox escape flaw.
According to Google’s advisory, the zero-day was reported to the company in late April by an anonymous researcher. Based on the Google-assigned identifier ‘303f06e3’, the same expert previously reported other Chrome vulnerabilities.
The researcher has been awarded $55,000 for responsibly disclosing CVE-2026-11645.
This is the fifth Chrome zero-day to be exploited in 2026. The others are CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.
The number of vulnerabilities found by Google itself in Chrome has surged, with hundreds of flaws discovered over the past few months. The surge was most likely driven by AI, but the tech giant has yet to disclose which models or tools it has used.
A vast majority of the flaws patched in the latest Chrome release — most rated critical and high severity — were found by Google.
The company recently reduced the base bug bounties for Chrome vulnerabilities due to AI.
Related: Chrome 149 Patches 429 Vulnerabilities
