Google releases emergency update for fifth Chrome zero-day exploited in the wild this year

Google has released an emergency update to address a zero-day vulnerability in its Chrome browser that has been exploited by attackers. This marks the fifth such flaw patched by Google this year, highlighting an ongoing trend of actively exploited vulnerabilities in widely used software, with further coverage provided by Bleeping Computer.

The vulnerability, identified as CVE-2026-11645, is a high-severity out-of-bounds read and write weakness within Chrome's V8 JavaScript engine. Attackers can exploit this flaw through crafted HTML pages to execute arbitrary code, potentially accessing sensitive data or causing the browser to crash. The exploit can also bypass security measures like ASLR, making it easier to achieve code execution. Google has released patched versions for Windows, Mac, and Linux, urging users to update immediately, although automatic updates may take time to reach all users.

This incident follows four other zero-day vulnerabilities patched in Chrome since the beginning of the year, including issues related to CSS font feature values, the Skia graphics library, the V8 engine, and the Dawn implementation of the WebGPU standard. Google has not yet disclosed specific details about attacks exploiting CVE-2026-11645, restricting access to bug information until a majority of users are updated.

Source: Bleeping Computer