Google released a broad security update for Chrome addressing 74 vulnerabilities, including a high-severity zero-day (CVE-2026-11645) that is already being exploited in the wild.

Users of other Chromium-based browsers—Edge, Brave, Opera, and Vivaldi—should apply fixes as soon as they are available.

The zero-day stems from an out-of-bounds memory access in the V8 engine, with potential for denial of service, privilege escalation, or remote code execution.

The article provides no specifics on the nature of attacks or the targeted victims.

Guidance is offered on threat mitigation and a brief plug for Malwarebytes Browser Guard.

Threat actors have used this zero-day in targeted attacks, with no public proof-of-concept at the time, suggesting involvement by well-resourced groups rather than indiscriminate campaigns.

Regulated sectors should follow CISA KEV guidance, document remediation, and conduct user awareness training to reduce visit-based exploit risk.

Patch rollout is gradual over days to weeks, with some details withheld to protect users until broad adoption.

There is urgency to apply updates to mitigate zero-day risk, especially for users who delay automatic updates.

The update also adds features such as the ability to sign PDF forms without a browser extension.

There is no public attribution to a specific sector, but past Chrome zero-days have targeted government, tech, financial, and enterprise sectors; KEV highlights risk to critical infrastructure.

A second critical flaw carried a $43,000 bounty, underscoring its impact and the depth of investigation.