Chrome V8 zero-day is under active attack. Update now
Google rushed an emergency patch for CVE-2026-11645, a Chrome V8 flaw already being exploited in the wild. Here is what it is and what to do.
Google has pushed an emergency update for Chrome after attackers started exploiting a flaw in V8, the engine that runs JavaScript and WebAssembly inside the browser. The bug, tracked as CVE-2026-11645, carries a CVSS score of 8.8 and was being used in real attacks before the fix landed on 9 June.
V8 is the part of Chrome that turns the code on a web page into instructions your computer actually runs. An out-of-bounds memory access in that engine accouna malicious page can read or write memory it should never touch. In practice, that is the kind of bug that lets a booby-trapped website run code on your machine just because you visited it. No download, no click on a dodgy attachment, just a page load.
Who is affected
Everyone running Chrome on desktop, and by extension anyone on a Chromium-based browser such as Edge, Brave, Opera or Vivaldi. The underlying engine is shared, so those browsers ship their own patches shortly after Google. If you use any of them, this matters to you.
Google has confirmed the flaw is being exploited in the wild but, as it usually does for zero-days, has held back the technical detail until most users have updated. That is standard practice and a sensible one. The gap between a patch shipping and people actually installing it is exactly the window attackers race to exploit.
What to do
Open Chrome, go to the menu, then Help, then About Google Chrome. The browser checks for updates automatically and will start downloading the fix. The important step is the one people skip: click Relaunch. Until you restart the browser, the patch is downloaded but not actually applied, and you are still exposed. Do the same for Edge, Brave or whichever Chromium browser you use.
If you manage devices for an organisation, push the update through your management console rather than trusting every user to relaunch on their own. Zero-days like this one tend to get reverse-engineered within days of the patch going public, so the safe assumption is that exploitation will get worse, not better, over the next week.
This is not a reason to panic, but it is a five-minute job worth doing today. Browser zero-days are among the most valuable bugs attackers have, precisely because the browser is the one piece of software almost everyone runs and almost nobody patches on time.
Stay one step ahead.
The Cybersecurity & Privacy Digest lands every Friday with the week's biggest threats and what to do about them. Subscribe free.