Google has shipped an urgent security update for Chrome, patching 74 vulnerabilities — including a high-severity flaw in the browser's V8 JavaScript engine that is already being exploited in the wild.
The actively targeted vulnerability, catalogued as CVE-2026-11645, is classified as an out-of-bounds memory access issue residing in V8, the open-source engine that powers JavaScript and WebAssembly execution in Chrome. According to The Hacker News, the advisory describes affected versions as Chrome builds prior to 149.0.7827.103. Users and administrators should verify the exact patched version via the official Chrome Releases blog.
Why V8 zero-days demand immediate attention
V8 sits at the heart of nearly every interaction users have with the modern web. Because it processes JavaScript and WebAssembly code delivered by websites, a memory-corruption bug of this nature can potentially be triggered simply by luring a victim to a maliciously crafted page — no clicks, downloads, or additional permissions required. That characteristic makes browser engine vulnerabilities fundamentally more dangerous than many other bug classes: the attack surface is essentially the entire web.
Out-of-bounds memory access flaws are particularly hazardous because they can allow an attacker to read or overwrite memory outside the buffer a program intended to use. In the context of a JavaScript engine, this can open the door to information disclosure, arbitrary code execution, or sandbox escapes, depending on how the flaw is chained with other bugs.
The patch gap is closing fast
The fact that CVE-2026-11645 is marked as "exploited in the wild" underscores the accelerating pace at which attackers weaponise browser flaws. Security researchers have repeatedly observed that threat actors are now capable of reverse-engineering browser patches within hours of public disclosure, rapidly building working exploits before many users have applied updates. This shrinking patch gap means that the window between a security bulletin and mass exploitation is shorter than ever — a reality that raises the stakes for both individual users and enterprise IT teams.
Google has not disclosed whether CVE-2026-11645 was reported by an external researcher or discovered through its own internal security testing, including the Chrome Security Reward Programme and Project Zero. The source of the discovery may be clarified in a forthcoming advisory update.
73 additional fixes in the same release
Beyond the zero-day, the update addresses 73 other security issues across Chrome. Google typically withholds detailed technical descriptions of vulnerabilities until the majority of users have had a chance to update, a responsible-disclosure practice designed to limit the window of exposure. Fuller breakdowns of the remaining flaws — including their severity ratings and credited researchers — are expected to appear on the Chrome Releases blog in the coming days.
What users and administrators should do
Users can expedite the update by navigating to Help → About Google Chrome, which will trigger a check for the latest version and prompt a restart once the update is downloaded.
For enterprise environments where Chrome is managed through group policy or mobile device management tools, IT administrators should prioritise pushing this update across their fleets. Organisations in sectors that face elevated targeted-attack risk — including finance, government, and media — should treat the patch as particularly time-sensitive, given that state-sponsored and financially motivated threat actors have historically favoured browser zero-days as initial access vectors.
The incident is a further reminder of the critical importance of memory safety in foundational software. Google has invested heavily in migrating portions of Chromium toward memory-safe languages such as Rust, but the bulk of V8 remains written in C++, a language where out-of-bounds access bugs remain notoriously difficult to eliminate entirely. Until that migration progresses further, rapid patching will continue to be the primary line of defence against zero-day exploitation in the world's most widely used browser.
Google 已為 Chrome 瀏覽器推送緊急安全更新,修補共 74 項安全漏洞,其中包括一項已在野外遭利用、位於瀏覽器 V8 JavaScript 引擎的高風險缺陷。
這項被積極攻擊的漏洞編號為 CVE-2026-11645,歸類為越界記憶體存取問題,存在於驅動 Chrome 中 JavaScript 與 WebAssembly 執行的開源引擎 V8 內。據 The Hacker News 報道,該公告指受影響版本為 149.0.7827.103 以前的 Chrome 版本。用戶及管理員應透過官方 Chrome Releases 網誌 確認確切的已修補版本。
為何 V8 零日漏洞需要立即關注
V8 處於現代網絡幾乎所有互動的核心。由於它負責處理網站提供的 JavaScript 與 WebAssembly 程式碼,此類記憶體損壞漏洞可能只需誘使用戶瀏覽一個精心構造的惡意網頁即可觸發——無需點擊、下載或額外權限。這特性使得瀏覽器引擎漏洞本質上比許多其他類型的缺陷更危險:攻擊面基本上等同於整個網絡。
越界記憶體存取漏洞尤其危險,因為它們可能讓攻擊者讀取或覆寫程式預期使用緩衝區以外的記憶體。在 JavaScript 引擎的背景下,這可能導致資訊洩露、任意程式碼執行或沙盒逃脫,具體取決於漏洞如何與其他缺陷鏈式利用。
修補時間窗口正快速縮短
CVE-2026-11645 被標記為「已在野外利用」,凸顯攻擊者將瀏覽器漏洞武器化的速度正在加快。安全研究人員多次觀察到,威脅行為者如今能在漏洞公開披露後數小時內逆向工程分析瀏覽器更新,並迅速建立有效的攻擊程式碼,遠在許多用戶套用更新之前。這不斷縮短的「修補時間差距」意味著安全公告與大規模利用之間的窗口比以往更短——這現況提高了個人用戶與企業 IT 團隊面臨的風險。
Google 未披露 CVE-2026-11645 是由外部研究人員通報,還是通過其內部安全測試(包括 Chrome 安全獎勵計劃及 Project Zero)發現。發現來源預計將在後續公告更新中說明。
同一版本中另修補 73 項缺陷
除零日漏洞外,此次更新亦修補了 Chrome 中另外 73 項安全問題。Google 通常會在大多數用戶完成更新前,暫緩公開漏洞的詳細技術說明,這是一種負責任的披露做法,旨在縮短風險暴露窗口。其餘漏洞的完整分析——包括其嚴重性評級及應表揚的研究人員——預計將於未來數天在 Chrome Releases 網誌公布。
用戶與管理員應採取的行動
用戶可前往 說明 → 關於 Google Chrome 以加速更新,這將觸發檢查最新版本,並在更新下載完成後提示重新啟動。
對於通過群組原則或流動裝置管理工具管理 Chrome 的企業環境,IT 管理員應優先將此更新推送至所有裝置。處於較高針對性攻擊風險的行業組織——包括金融、政府及媒體——應將此修補視為特別緊急,鑑於國家資助及以經濟利益為動機的威脅行為者歷來偏好將瀏覽器零日漏洞作為初始存取途徑。
此事件進一步提醒我們,基礎軟件中記憶體安全的至關重要性。Google 已大力投資將部分 Chromium 程式碼遷移至 Rust 等記憶體安全語言,但 V8 的主要部分仍以 C++ 編寫,而這種語言中的越界存取缺陷至今仍難以徹底消除。在遷移進程進一步推展前,快速修補仍將是全球最廣泛使用的瀏覽器抵禦零日漏洞利用的主要防線。