Published Sunday, June 21, 2026 at 07:05 PM PT

BREAKING SECURITY ALERT β€” CHROME ZERO-DAY #5 EXPLOITED IN THE WILD (2026)

BLUF: Google has patched a fifth actively exploited zero-day vulnerability in Chrome this year. All users and organizations running unpatched versions of Chrome are at risk. Update immediately.

DETAILS

  • Google has confirmed a fifth Chrome zero-day vulnerability exploited in the wild in 2026, continuing a pattern of repeated active exploitation against the browser this year.
  • The vulnerability is tracked as CVE-2026-11645. Google has released emergency updates to address it.
  • Active exploitation has been confirmed; however, specific threat actor attribution, attack vectors, and the full technical nature of the vulnerability have not been publicly confirmed at this time.
  • Google’s disclosure follows its standard limited-detail policy during active exploitation windows β€” full technical details are likely being withheld to allow user patching time.
  • This is the fifth zero-day patched in Chrome in 2026 alone, indicating sustained, active targeting of the browser by threat actors.

IMPACT

  • Who is affected: All users and organizations running Google Chrome on any platform (Windows, macOS, Linux, Android) on unpatched versions.
  • Scope: Potentially global and broad β€” Chrome holds a dominant share of browser market usage across enterprise and consumer environments.
  • Severity: Active exploitation confirmed. Risk level is HIGH until patching is complete.
  • Uncertainty flag: Specific exploitation targets (e.g., targeted campaigns vs. opportunistic) are not confirmed. Do not assume your organization is or is not targeted.
  1. Update Chrome immediately β€” navigate to Settings > Help > About Google Chrome to force an update and relaunch.
  2. Verify version β€” confirm all endpoints are running the patched version released with this emergency update. Check Google’s official release notes for the confirmed safe version number.
  3. Prioritize enterprise fleet patching β€” push updates via endpoint management tools (Intune, SCCM, etc.) without waiting for user-initiated updates.
  4. Monitor threat intelligence feeds for emerging indicators of compromise (IOCs) as technical details are released post-patch.
  5. Consider temporary browser restrictions in high-sensitivity environments if immediate patching is not feasible.

SOURCES

  • The Register Security β€” “Chrome’s zero-day Whac-A-Mole continues with fifth exploited bug of the year”
  • SOC Prime β€” CVE-2026-11645: Chrome Zero-Day Vulnerability Exploited in the Wild
  • Google Chrome release channel (verify patched version number directly at chromereleases.googleblog.com)

⚠ NOTE: Technical exploitation details remain limited pending Google’s post-patch disclosure. This alert will require update as additional confirmed information becomes available. Do not act on unverified third-party claims about attack specifics.