Google Chrome faces two concurrent risk items this week: CVE-2026-11645, an actively exploited out-of-bounds memory flaw in the V8 JavaScript engine patched in Chrome 149, and the BadBlocker Chrome extension (ID: cmedhionkhpnakcndndgjdbohmhepckk) which contains a dormant remote JavaScript injection capability affecting 10 million active installs. The CVE requires immediate patching; the extension requires immediate removal and policy enforcement regardless of patch status.