Technology

Chrome's zero-day Whac-A-Mole continues with fifth exploited bug of the year

Jun 09, 2026 - 16:13
0 0
Chrome's zero-day Whac-A-Mole continues with fifth exploited bug of the year

SECURITY

Google paid researcher a tidy $55K bounty for its discovery

Google has fixed its fifth actively exploited Chrome zero-day of 2026, and this one earned its finder a $55,000 bounty.

The flaw, tracked as CVE-2026-11645, is an out-of-bounds memory access bug in Chrome's V8 JavaScript engine. Google confirmed that the vulnerability is being exploited in the wild, but has disclosed little beyond the bare technical details.

The company patched the issue in the latest Stable Channel releases for Windows, macOS, and Linux. It also awarded a $55,000 bounty to the researcher using the handle "303f06e3," who reported the bug on April 27.

The reward suggests Google viewed the report as potentially serious, particularly given its location in V8, the JavaScript engine at the heart of Chrome. Bugs in V8 have featured regularly in both Chrome security advisories and exploit chains over the years, making it one of the browser's more closely watched components.

As is standard when active exploitation is involved, Google has withheld technical details that could help others carry out the attack before users have had a chance to patch.

CVE-2026-11645 is the fifth exploited Chrome zero-day fixed this year. Google started 2026 by patching CVE-2026-2441, a use-after-free flaw in CSS. Two more zero-days followed in March, CVE-2026-3909 and CVE-2026-3910, before another actively exploited vulnerability, CVE-2026-5281, was patched in April.

For Google's browser engineers, 2026 is shaping up to be another busy year. The company patched eight Chrome zero-days across all of 2025, and it’s already more than halfway to that figure with more than six months still to go.

There is no indication that the latest flaw has been used in broad, indiscriminate attacks. Zero-days are often reserved for targeted operations until patches become available, after which researchers and criminals alike begin dissecting the fixes to understand what changed.

For Chrome users, the advice remains much the same as it was after the first four zero-days this year: restart the browser, install the update, and avoid giving attackers an unnecessary head start. ®

Read More
Previous Article

France probes compromise of gov messaging platform after account hijack

Next Article

Rivian R2 2026: Specs, Price, Availability

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Related Posts

I tested a $15 smart switch and found a coffee maker wasting $1,500 a year in electricity

I tested a $15 smart switch and found a coffee maker...

Jun 09, 2026
0
1
MIT boffins take electrospray nozzles out of the cleanroom, into the 3D printer

MIT boffins take electrospray nozzles out of the cle...

Jun 09, 2026
0
1
Grab a huge $550 saving on this 4K-ready gaming PC with an RTX 5070 and 7800X3D right now — just $1,449 for this liquid-cooled iBuyPower rig with 16GB DDR5 and a 1TB SSD

Grab a huge $550 saving on this 4K-ready gaming PC w...

Jun 09, 2026
0
0
Razer Seiren V3 Pro Review: USB, XLR, and 32-bit float

Razer Seiren V3 Pro Review: USB, XLR, and 32-bit float

Jun 09, 2026
0
0
Taiwan weighs criminal ban on AI chip exports to all of China — stricter measures beyond blacklisted firms would make smuggling servers a crime

Taiwan weighs criminal ban on AI chip exports to all...

Jun 09, 2026
0
0
I've spent over 35 hours sitting in Secretlab's new Atlas task chair and there's a lot I like about it — but I'm still not sure it will dethrone my Herman Miller

I've spent over 35 hours sitting in Secretlab's new ...

Jun 09, 2026
0
1

Comments (0)

User