Five Actively-Exploited Chrome Zero-Days in Five Months: The Browser Is the Most-Attacked Program on Your Machine, and CVE-2026-11645 Is Just June's.

On Tuesday Google shipped an emergency Chrome update for CVE-2026-11645, an out-of-bounds memory access in V8, the JavaScript and WebAssembly engine at the heart of the browser, already being exploited in the wild. On its own that is a routine entry in a defender's week: patch Chrome, move on. The number worth pausing on is not the CVE, it is the ordinal. This is the fifth actively-exploited Chrome zero-day of 2026, and we are barely past the halfway point of the year. The cadence is the story, and the cadence has a lesson in it that is easy to miss precisely because browser updates are so routine that we have stopped reading them.

The Five, In Order

The pattern is clearer when you lay the year out. In February it was CVE-2026-2441, a use-after-free in CSS. In March there were two in the same month: CVE-2026-3909, an out-of-bounds write in the Skia 2D graphics library, and CVE-2026-3910, a flaw in the V8 engine. In April it was CVE-2026-5281, in Dawn, the cross-platform implementation underneath the WebGPU standard. And now in June it is CVE-2026-11645, back in V8. Five zero-days, each one confirmed exploited before the patch existed, spread across the rendering engine, the graphics library, the GPU layer, and the JavaScript engine — which is to say across every major component that takes data from a web page and turns it into something the machine executes. The reporter of the June bug earned a fifty-five-thousand-dollar bounty, which tells you what these are worth to the people who do not report them.

Why The Browser Is The Perennial Front

There is a structural reason the browser leads this list every year, and it is not that Chrome is uniquely badly written. The browser is the one program on a normal person's machine whose entire job is to download untrusted code from anywhere on the internet and run it, thousands of times a day, automatically, without asking. Every other application waits for you to open a file; the browser opens the file the moment a page loads, and the page can come from anyone. That makes the engines that parse and execute web content — V8 for JavaScript, Skia for graphics, Dawn for the GPU — the single richest attack surface on the device, and it makes a memory-safety bug in any of them a direct path from a malicious web page to code running on your computer. A use-after-free in CSS and an out-of-bounds read in V8 sound esoteric; what they mean in practice is that visiting the wrong page, or loading the wrong ad on the right page, was enough. That is why this is whack-a-mole and always will be: the surface is irreducible, because the browser's value and its danger are the same property.

What A Defender Does With A Cadence

You cannot make the browser stop being the front, so you manage the one variable you control, which is the gap between disclosure and patch. For an actively-exploited zero-day that gap is the most dangerous interval in security, and on the browser it closes fast if you let it: Chrome auto-updates, so the single highest-value habit for an individual is to fully close and reopen the browser when an update is pending rather than leaving a session running for weeks, because an update that has downloaded but not restarted is not protecting you. For a fleet, the lesson of five zero-days in five months is that browser patching cannot be a monthly cycle item; it needs to be the fastest patch lane you have, measured in hours after Google ships, with enforced restarts rather than polite reminders. And the strategic read for anyone allocating defensive attention: the browser is not a low-priority consumer app to be managed alongside the rest of the desktop software, it is the most-attacked program your people run, every day, by design — and treating its patch latency as a first-class metric is one of the highest-yield, lowest-glamour things a security program can do. June's bug has a number. The pattern does not need one; it just needs you to stop ignoring it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register