Google has released an emergency update for its Chrome browser that fixes 74 security vulnerabilities, including one that attackers are already exploiting in real world attacks. Because Chrome is the most widely used browser in the world and the same engine powers other Chromium based browsers, anyone running it should update right away.
The actively exploited flaw is tracked as CVE-2026-11645 and sits in V8, the part of Chrome that runs the JavaScript code found on nearly every website. Google describes it as an out of bounds read and write, a type of memory bug where the browser can be tricked into reading or writing data outside the space it is supposed to use. In practice that can let an attacker plant malicious instructions in memory and coax the browser into running them, simply by luring a victim to a booby trapped web page.
What is affected
The bug affects Chrome versions before 149.0.7827.103. Google has fixed it in the stable channel releases 149.0.7827.102 and 149.0.7827.103 for Windows and Mac, and 149.0.7827.102 for Linux. The company says the flaw is being exploited in the wild but, as is standard practice while users are still updating, has not released details of who is behind the attacks or how widespread they are.
One mitigating detail: Google notes the code triggered by CVE-2026-11645 runs inside a sandbox, the sealed off environment Chrome uses to contain web content. That limits the immediate blast radius to the browser rather than the whole computer. It is not an all clear, though, because attackers routinely chain a sandbox bug like this one with a second flaw to break out and reach the underlying system.
What you should do
Update Chrome now rather than waiting for the staged rollout to reach you. Open the menu (the three dots), then go to Settings, then About Chrome, and Chrome will download any available update automatically. Restart the browser to finish applying it, and confirm you are on 149.0.7827.102 or later. Users of other Chromium based browsers such as Edge, Brave, Opera, and Vivaldi should watch for and install the equivalent updates from their vendors, since they share the same V8 engine. The fix was published in Google's Chrome releases advisory.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.