CISA has added CVE‑2026-11645 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Google’s Chromium V8 JavaScript engine and is tracked as the Google Chromium V8 Out-of-Bounds Read and Write Vulnerability. It allows a remote attacker to execute arbitrary code inside a sandbox by persuading a user to open a specially crafted HTML page.
The vulnerability is an out-of-bounds read and write condition in the V8 engine. Successful exploitation can lead to arbitrary code execution within the browser sandbox, potentially enabling further system compromise. The Common Vulnerability Scoring System assigns it a score of 8.8, rating it as HIGH severity. Google has released a patch that addresses the issue, and the update is available through the standard Chrome release channel.
Because the vulnerability is listed in the KEV catalogue, active exploitation in the wild has been confirmed. No public reports link this flaw to ransomware campaigns at this time. CISA has set a remediation deadline of 23 June 2026 for federal agencies to apply the necessary mitigations.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. This directive binds Federal Civilian Executive Branch (FCEB) agencies, but all organisations should review their exposure to Chromium‑based browsers and apply the vendor’s update promptly today. Organisations should also verify that the update has been successfully deployed across all endpoints.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-11645 and the CISA KEV catalogue.