CVE-2026-11645 is an actively exploited out-of-bounds memory flaw in the V8 JavaScript engine in Chrome 149, patched in versions 149.0.7827.102/103 on desktop and 149.0.7827.196/197 on iOS. A crafted web page can trigger remote code execution within the browser sandbox with no user interaction beyond a page visit, making this a drive-by compromise risk across all 3.5 billion Chrome-installed devices on Windows, macOS, Linux, and iOS. The patch cycle covers 74 total vulnerabilities in this Chrome release.