Google has rolled out an urgent security update for Chrome, addressing a critical zero-day vulnerability that attackers have actively exploited. This latest update brings the Stable channel to version 149.0.7827.102/.103 on Windows and Mac, and 149.0.7827.102 on Linux. A total of 74 security fixes are included, with one confirmed zero-day exploit among them.
Details of the Exploited Vulnerability
The most pressing issue in this update is CVE-2026-11645, a severe out-of-bounds memory access problem within Chrome’s V8 JavaScript engine. This flaw poses a significant risk as it processes untrusted JavaScript from various websites, making it susceptible to remote code execution if exploited. An external researcher, known by the pseudonym “303f06e3,” discovered this vulnerability on April 27, 2026, and received a $55,000 bug bounty from Google for this critical finding.
Google has confirmed that CVE-2026-11645 has been exploited in the wild, underscoring the urgency of installing this update. Out-of-bounds memory access vulnerabilities allow attackers to execute arbitrary code within the browser’s process, potentially leading to system compromise when combined with other vulnerabilities.
Comprehensive Security Improvements
This update is not limited to a single vulnerability; it encompasses 74 security patches, including 17 critical ones. A significant number of these are use-after-free (UAF) vulnerabilities, a common challenge in browser security. Additionally, high-severity flaws were found across several core subsystems, including V8, WebRTC, and the GPU, indicating a comprehensive security audit by Google.
Specific vulnerabilities such as CVE-2026-11662, which involves Type Confusion in Bindings, and CVE-2026-11688, an Object Lifecycle issue in SVG, highlight the complexity of these browser security challenges. Google’s internal security team conducted an extensive review from late April to late May 2026, resulting in the identification of these critical issues.
Upgrade Recommendations
Google has updated the Stable channel to version 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux. The update will be rolled out to users over the next few days and weeks. However, users are strongly encouraged to manually update Chrome to ensure immediate protection.
To manually update Chrome, users can open the browser, click the three-dot menu in the top-right corner, and navigate to Help → About Google Chrome. Chrome will automatically check for updates, and users can click Relaunch once the update has downloaded.
Enterprise administrators should prioritize deploying version 149.0.7827.102/103 across managed systems immediately due to the active exploitation of CVE-2026-11645. Follow us on Google News, LinkedIn, and X for more instant updates on security patches and software improvements.
