Google confirmed active in-the-wild exploitation of CVE-2026-11645, a CVSS 9.5 out-of-bounds read/write vulnerability in Chrome’s V8 JavaScript engine — the fifth Chrome zero-day exploited in 2026. Any endpoint running Chrome below version 149.0.7827.102 (Windows/Mac) or 149.0.7827.103 (Linux) is vulnerable to drive-by compromise via a single malicious webpage visit, with the V8 memory corruption primitive commonly chained to sandbox escapes for full system compromise.