Just a week ago, Google dropped a massive security patch that addressed hundreds of individual software bugs. Now, billions of desktop and mobile users face another urgent reason to check their web browser version. Google has officially released Chrome version 149, aiming to fix an active zero-day vulnerability that malicious actors are already exploiting in the wild.
Google Chrome CVE-2026-11645 vulnerability gets a fix with the 149 update
The high-severity flaw is cataloged as CVE-2026-11645. It stems from an out-of-bounds memory access weakness nestled deep inside Chrome’s V8 JavaScript and WebAssembly engine. According to data published by the National Vulnerability Database (NVD), a remote attacker could weaponize this specific loophole by directing unsuspecting targets to a maliciously crafted HTML web page. Once visited, the page can trigger heap corruption, enabling attackers to execute unauthorized code directly within the web browser’s isolated security sandbox. They could also bypass traditional defenses like ASLR to cause a complete system crash.
The hunt for modern bugs
An independent security researcher known online by the handle “303f06e3” discovered and responsibly disclosed the vulnerability to Google back in late April. For their efforts in securing the platform, Google awarded the researcher a substantial $55,000 bug bounty payment (via Forbes).
Interestingly, the broader Chrome 149 package addresses over 70 additional security flaws. This includes 17 separate vulnerabilities that earned a critical severity index rating. Google’s internal security teams discovered almost all of these accompanying flaws. This suggests automated internal testing tools are heavily assisting engineers in uncovering deep-seated legacy bugs within production code.
As is standard operating protocol during active zero-day threats, Google is withholding granular technical details regarding how hackers are executing the exploit. Keeping these specific blueprints under lock and key prevents copycat attackers from developing their own variations.
How to secure your desktop immediately
The fixed software builds are actively deploying to the stable public channel as versions 149.0.7827.102/.103 for Windows and Mac. There’s also the version 149.0.7827.102 for Linux and Android environments. Furthermore, anyone using alternative Chromium-based web browsers—such as Microsoft Edge, Brave, Opera, or Vivaldi—should keep a close eye out for corresponding updates from their respective developers over the coming days.
Chrome natively downloads and applies security patches automatically in the background during normal operation. However, the rolling release schedule means it can take several days or even weeks to reach every single machine organically.
This marks the fifth actively exploited zero-day vulnerability Google has had to patch since the start of the year. Therefore, waiting around for an automatic update introduces unnecessary risk.
To bypass the queue and force the patch immediately on your desktop, click the three-dot menu icon in the top-right corner of your browser interface, go down to Help, and select About Google Chrome. The browser will instantly ping Google’s servers and download the version 149 update. Then, it will prompt you to relaunch the software to ensure your device is fully locked down against ongoing web-based attacks.
The post Chrome 149 Lands to Fight an Active, In-the-Wild Security Threat: Update Right Now appeared first on Android Headlines.
