CVE-2026-11645 is a high-severity out-of-bounds read/write vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome and other Chromium-based browsers. Google/NVD describe the issue as affecting Google Chrome prior to 149.0.7827.103 and allowing a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. Supporting reporting indicates the bug is rooted in V8 TurboFan optimization logic, specifically flawed range analysis that can incorrectly conclude an array index remains in bounds and eliminate runtime bounds checks. At runtime, optimized native code may then perform reads or writes outside the intended backing store. Additional reporting also notes a possible trigger condition involving stale ElementsKind assumptions after array layout transitions, likewise resulting in invalid memory access and memory corruption. Google confirmed active exploitation in the wild at the time of disclosure.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a very small standalone browser PoC consisting of one HTML file and one README. The main artifact, CVE-2026-11645.html, is a self-contained client-side test page with buttons for version checking, repeated trigger execution, and an automated stress loop. Its JavaScript checks navigator.userAgent for the Chrome major version, labels versions below 149 as likely vulnerable, and then runs a trigger routine that repeatedly instantiates a class extending Function while changing a property value from an integer to a floating-point number. The code frames this as a V8 type confusion / out-of-bounds memory corruption trigger and is designed to induce a crash or instability in vulnerable Chrome 148 builds. There are no network callbacks, no external exploit servers, no shell payloads, and no persistence or command execution logic. The exploit capability is limited to local-in-browser triggering of the claimed vulnerability when a victim opens the malicious HTML page. The strongest observable outcome supported by the code is browser crash/stress testing; the README discusses possible RCE impact, but the repository does not include a full exploitation chain or arbitrary code execution payload. Overall, this is best classified as a browser/web proof-of-concept trigger for a claimed Chrome V8 memory corruption issue, not a weaponized exploit.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
182 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An earlier Chrome V8 zero-day that was actively exploited in the wild and patched earlier in the month.
A zero-day out-of-bounds read/write vulnerability in the Chromium V8 JavaScript engine that can be triggered via a crafted malicious HTML page, potentially allowing arbitrary code execution within the browser sandbox.
An out-of-bounds read/write vulnerability in the Google Chromium V8 JavaScript engine that could lead to denial of service, privilege escalation, or remote code execution.
A critical out-of-bounds vulnerability in the Google Chromium V8 engine that allows remote code execution via malicious HTML pages.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.