Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-11645 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-11645 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-11645 is an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine, affecting all Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera.

Technical Detail

The flaw resides in the V8 JavaScript engine's memory handling, where improper bounds checking allows out-of-bounds read and write operations to occur. An attacker can trigger this vulnerability by delivering a crafted HTML page to a target user, requiring no authentication and only standard browser interaction. Successful exploitation results in arbitrary code execution within the browser sandbox, which may serve as a stepping stone to further sandbox escape if chained with a secondary privilege escalation vulnerability.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on June 9, 2026. The exploit maturity is rated Operational, meaning a functional exploit capable of reliable execution against real targets is in active use, not merely a proof-of-concept demonstration.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established in available intelligence. Given the browser-based attack surface and operational exploit maturity, opportunistic and targeted campaigns should both be considered plausible until attribution data is available.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies are required to apply patches or mitigations by the deadline associated with the June 9, 2026 listing. All organizations should treat this as a high-priority patch given confirmed in-the-wild exploitation. Update Google Chrome, Microsoft Edge, Opera, and any other Chromium-based browsers to the latest available versions immediately. Where browser updates cannot be applied immediately, consider restricting access to untrusted or external web content through network controls or managed browser policies. Monitor endpoint detection telemetry for anomalous renderer process behavior or unexpected child process spawning from browser processes as potential indicators of exploitation attempts.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →