Chrome zero-day under active attack — update your browser today

Google has shipped an emergency Chrome update for a zero-day flaw that attackers are already exploiting. The bug, CVE-2026-11645, sits in Chrome’s V8 JavaScript engine and can be triggered by a single booby-trapped web page — no clicks or downloads needed. As reported by BleepingComputer, it’s the fifth Chrome zero-day exploited in the wild this year.

Here’s why it matters: this isn’t some niche server product. Chrome — and every browser built on it, including Microsoft Edge — runs on nearly every machine in your business. A successful exploit lets an attacker run code inside the browser, which is often the first step toward stealing saved passwords, session cookies or company data. The fix landed on 8 June, and the flaw is now on the US CISA must-patch list, which tells you it’s being used in real attacks, not just theory.

What to do: update now. In Chrome, click the three-dot menu > Help > About Google Chrome, and it will pull the patch and prompt a restart. You want version 149.0.7827.102 or later (Edge users: Settings > About Microsoft Edge). The catch is the update only takes effect after the browser restarts — and plenty of people leave Chrome open for weeks. Don’t assume auto-update has quietly handled it; check, then restart.

If you’d rather not chase this across every staff laptop, that’s exactly what managed patching is for. Our cybersecurity team can make sure browser and OS updates are applied across your fleet without anyone having to remember.