CVE-2026-11645

HIGH KEV

Google Chrome - Out-of-Bounds Access

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2026-11645 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 9, 2026. EIP tracks 3 public exploits from researchers including 0xBlackash, adamshaikhma, fevar54.

AI-analyzed exploit summary The repository contains a functional HTML-based PoC for CVE-2026-11645, a V8 engine out-of-bounds read/write vulnerability in Chrome 148. The exploit triggers memory corruption via type confusion in JavaScript class manipulation, potentially leading to RCE.

Description

Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Exploits (3)

github WORKING POC 1 stars
by 0xBlackash · htmlpoc
https://github.com/0xBlackash/CVE-2026-11645

The repository contains a functional HTML-based PoC for CVE-2026-11645, a V8 engine out-of-bounds read/write vulnerability in Chrome 148. The exploit triggers memory corruption via type confusion in JavaScript class manipulation, potentially leading to RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Chrome < 149.0.7827.103
No auth needed
Prerequisites: Vulnerable Chrome version (148) · User interaction (clicking buttons)
devstral-2 · analyzed Jun 11, 2026 Full analysis →
github SUSPICIOUS
by adamshaikhma · poc
https://github.com/adamshaikhma/CVE-2026-11645

The repository claims to provide an exploit for CVE-2026-11645 but lacks actual exploit code, instead directing users to an external download link (tinyurl.com). The README contains generic details about the vulnerability without technical depth or functional code.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Google Chrome prior to 149.0.7827.103
No auth needed
Prerequisites: crafted HTML page
devstral-2 · analyzed Jun 11, 2026 Full analysis →
github WORKING POC
by fevar54 · poc
https://github.com/fevar54/CVE-2026-11645-Out-of-bounds-Read-Write

This repository contains a functional proof-of-concept exploit for CVE-2026-11645, demonstrating an out-of-bounds read/write vulnerability in Chrome's V8 JavaScript engine. The exploit leverages JIT compilation to bypass bounds checks and includes both a detailed PoC and a minimalist trigger.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Google Chrome < 149.0.7827.103
No auth needed
Prerequisites: Vulnerable Chrome version · User interaction to visit malicious webpage
devstral-2 · analyzed Jun 10, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0071
EPSS Percentile 48.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-06-09
VulnCheck KEV 2026-06-08
ENISA EUVD EUVD-2026-35245
CWE
CWE-125 CWE-787
Status published
Products (2)
google/chrome < 149.0.7827.103
Google/Chrome 149.0.7827.103
Published Jun 09, 2026
KEV Added Jun 09, 2026
Tracked Since Jun 09, 2026