A critical out-of-bounds memory safety vulnerability inside a primary browser parsing component has come under active wild exploitation, forcing the execution of emergency out-of-band updates across workstation environments. The flaw permits remote unauthenticated adversaries to run malicious parameters within localized script engines.
Tracked as CVE-2026-11645, the defect affects the V8 JavaScript and WebAssembly parsing module of Google Chrome builds prior to version 149.0.7827.103. The bug stems from an omission within internal bounds verification schemas during code optimization sweeps. By steering a target user to a poisoned HTML document, attackers can force the engine to read and write outside its allocated memory barriers. This action facilitates local address layout randomization leaks, browser application crashes, and arbitrary shellcode deployment.
While the execution footprint operates inside the browser renderer partition, a persistent foothold at this layer provides initial access brokers with a functional springboard. Adversaries routinely chain these layout exploits with adjacent system driver weaknesses to break sandbox boundaries entirely, harvest stored validation tokens, and access connected corporate email networks.
– Enforce rapid update compliance rules to update Google Chrome installations to version 149.0.7827.102/.103 immediately.
– Review persistent virtual desktop instances and browser sessions to ensure old background processes are completely restarted.
– Deploy strict application sandboxing bounds across enterprise endpoints to restrict untrusted render processes from making system calls.
– Monitor logging metrics for unusual child application triggers originating from browser temporary data paths.
Workstation safety relies on immediate patch validation to ensure internal script processing modules cannot be subverted for automated malware payload execution. #CodeDefence #Google #Chrome #ZeroDay #V8Engine #AppSec
/
