“Google is aware that an exploit for CVE-2026-11645 exists in the wild.”
Google. 2026. Chrome Releases. Release updates from the Chrome team.
I’ve been going through the latest vulnerability data again, and one issue keeps repeating: Browsers are still one of the easiest ways into an environment. The latest vulnerabilities are a good reminder why.
One issue, multiple browsers at risk
Most people still think in terms of “Chrome vs Edge vs Brave.” That way of thinking might be outdated. At least from a security perspective, this is true, because they all run on Chromium with the same core engine and underlying components. So, when something breaks in Chromium, it breaks across all of them.
The latest example is CVE-2026-11645. With high severity (CVSS 8.8), this affects the V8 engine that runs JavaScript, and it is already being actively exploited in the wild.
In practice this means:
- You open a malicious page
- The browser processes it
- The attacker gets code execution inside the browser
No downloads are needed, and there’s no complicated flow. And yes, this impacts Chrome, Edge, Opera, Vivaldi, Brave—everything that’s built on Chromium.
This is why patching speed matters
What makes browser vulnerabilities different is how low the barrier is. You don’t need users to install anything. Just visiting a page is enough.
That is exactly why attackers keep focusing here. Also worth noting, this is not a one-off situation. This is already the fifth Chrome zero-day exploited this year. It is also not the first time a vulnerability has targeted the Chromium V8 engine. I wrote about this topic in November 2025 as well. So, this is not a rare event. It is a consistent pattern. If your browser is outdated, you are very likely exposed to something that is already known and already used.
What I’m seeing in real environments
Typical issues include:
- Browsers are updated but not restarted
- Auto updates don’t apply
- Different browsers are managed inconsistently
- People use browsers outside company policies
The result is that we are exposed to threats for longer than we should be.
The latest browser releases
Here is what vendors have pushed recently to remediate CVE-2026-11645 vulnerability.
Google Chrome
- Version: 149.0.7827.102 / 103
- Release notes: Chrome Stable Channel Update
Microsoft Edge
- Version: 149.0.4022.62
- Release notes: Release notes for Microsoft Edge Security Updates
Opera
- Version: 132.0.5905.37
- Release notes: Opera 132.0.5905.37 Stable Update
Vivaldi
- Version: 8.0.4033.46
- Release notes: Minor update (6) for Vivaldi Desktop Browser 8.0
Brave
- Version: 1.91.171
- Release notes: Release v1.91.171 (Chromium 149.0.7827.103)
The takeaway
There are two things that matter here. Browsers share the same underlying engine. Exploits target that shared engine. So switching browsers does not reduce risk if you are still on Chromium. What reduces risk is staying up to date. What I recommend in practice:
- Always keep browsers on latest version
- Enforce restart after update
- Make sure updates are applied, not just downloaded
- Control which browsers are allowed in managed environments
Related reading
Third-Party Patch Management Still Keeps IT Teams Up at Night
