Google has released an update for Chrome 149, addressing 74 security vulnerabilities, including a critical zero-day exploit. This marks the fifth such instance in 2026 where a zero-day flaw has been actively targeted.
Details of the Latest Zero-Day Exploit
The newly addressed zero-day vulnerability, identified as CVE-2026-11645, involves a high-risk out-of-bounds read/write issue within Chrome’s V8 JavaScript engine. This flaw potentially allows remote attackers to run arbitrary code within a sandbox environment through a specially crafted HTML page.
Although specific details of the attacks leveraging CVE-2026-11645 remain undisclosed, it is suspected that attackers have combined it with a sandbox escape vulnerability. This combination could potentially increase the threat’s severity.
Research and Reporting
An anonymous researcher reported the zero-day vulnerability to Google in late April. This individual, identified by the Google-assigned number ‘303f06e3’, has a history of uncovering Chrome vulnerabilities. For responsibly disclosing CVE-2026-11645, the researcher received a $55,000 reward from Google’s bug bounty program.
This latest zero-day is part of a series of similar vulnerabilities exploited in 2026, including CVE-2026-2441, CVE-2026-3909, CVE-2026-3910, and CVE-2026-5281.
Impact of AI on Vulnerability Discovery
Google has observed a significant increase in the number of security vulnerabilities identified within Chrome, largely attributed to advancements in AI technologies. The company has not specified which AI models or tools contributed to these findings but acknowledges their role in improving detection.
Most of the vulnerabilities patched in this latest Chrome update were discovered internally by Google, with many of them labeled as critical or high severity. In light of AI’s impact on bug discovery, Google has recently adjusted the base rewards for Chrome vulnerability disclosures.
The ongoing efforts to enhance Chrome’s security underline the importance of regular updates and the proactive approach needed to protect against emerging cyber threats.
