Google Patches Zero-Day Exploit in Chrome 149 Update
AI-generated from multiple sources. Verify before acting on this reporting.
MOUNTAIN VIEW, Calif. — Additional corroborating reports have been received regarding the active exploitation of the zero-day vulnerability in Google Chrome. Security researchers have confirmed further instances of the attack vector being deployed against users in the wild. The new reports align with the initial findings concerning CVE-2026-11645, reinforcing the urgency for users to apply the latest security patch immediately. Google has not issued further technical details regarding the specific nature of these additional incidents but continues to monitor the situation closely. The confirmed expansion of active attacks underscores the critical need for all Chrome users to update their browsers to version 149 or later to mitigate potential risks associated with this high-severity flaw.
MOUNTAIN VIEW, Calif. — Google released a critical security update for its Chrome browser on Tuesday, patching 74 vulnerabilities, including a zero-day exploit that has already been used in active attacks.
The update, version 149, addresses a range of security flaws identified in the browser's code. Among the patched issues is a high-severity vulnerability designated CVE-2026-11645, which security researchers have confirmed is being exploited in the wild. The zero-day allows attackers to execute arbitrary code on a victim's machine, potentially leading to data theft or system compromise.
Google's Project Zero team, which focuses on finding and fixing security vulnerabilities, credited an anonymous researcher with discovering the flaw. The company stated that the vulnerability was actively exploited before the patch was released, prompting an emergency update cycle. Users are urged to update their browsers immediately to protect against potential attacks.
The 74 vulnerabilities patched in this release include memory corruption issues, use-after-free errors, and type confusion bugs. While the zero-day represents the most critical threat, the other flaws could also be leveraged by malicious actors to gain unauthorized access to user systems. Google's security bulletin details the technical specifics of each vulnerability and provides guidance for enterprise administrators on deploying the update.
Chrome is the world's most widely used web browser, powering billions of devices globally. The widespread adoption of the software makes it a prime target for cybercriminals seeking to exploit vulnerabilities at scale. The discovery of an active zero-day exploit underscores the ongoing arms race between security researchers and threat actors.
The update is available for Windows, macOS, Linux, and Android devices. iOS users will receive the patch through the App Store update mechanism. Google has not specified the geographic origin of the attacks or the specific threat actors responsible for exploiting the zero-day. The company is continuing to monitor the situation for any further developments.
Security experts recommend that organizations implement additional security measures beyond the browser update, including network segmentation and endpoint detection systems. The incident highlights the importance of keeping software up to date and the challenges of securing complex software ecosystems.
The full list of patched vulnerabilities is available on Google's security blog. The company has not disclosed whether any specific organizations or individuals were targeted by the exploit. As of Tuesday afternoon, there were no confirmed reports of widespread data breaches linked to the zero-day, though investigators are still assessing the scope of the attacks.
Google's rapid response to the zero-day demonstrates the company's commitment to protecting user security. However, the incident serves as a reminder of the persistent threats facing internet users and the critical role of timely security updates in mitigating those risks.