Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645)
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Product
- Chromium V8
Timeline
- Disclosed
- June 9, 2026
CVSS
What is CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645)?
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) (CVE-2026-11645) maps to the Initial Access and Execution and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Windows Security Events, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousChildProcs = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe", "certutil.exe", "bitsadmin.exe"]);
let BrowserProcs = dynamic(["chrome.exe", "msedge.exe", "brave.exe", "vivaldi.exe", "opera.exe"]);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated >= ago(7d)
| where (ActionType == "ProcessCreated" or EventID == 4688)
| where (InitiatingProcessFileName in~ (BrowserProcs) or ParentProcessName has_any (BrowserProcs))
| where (FileName in~ (SuspiciousChildProcs) or NewProcessName has_any (SuspiciousChildProcs))
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessId, ProcessId
| extend RiskScore = case(
ProcessCommandLine has_any ("Invoke-", "EncodedCommand", "-enc", "IEX", "DownloadString"), 3,
ProcessCommandLine has_any ("http", "ftp", "curl", "wget"), 2,
1
)
| where RiskScore >= 1
| order by RiskScore desc, TimeGenerated descDetects Chrome/Chromium browser processes spawning suspicious child processes that may indicate V8 engine exploitation leading to code execution. Focuses on high-risk post-exploitation child process patterns consistent with CVE-2026-11645 abuse.
Data Sources
Required Tables
False Positives
- Legitimate browser extensions or enterprise software that invoke command-line tools
- Developer workflows that launch terminals or scripts from within the browser
- Automated test frameworks (Selenium, Playwright) that control browser processes
- IT management tools that use browser-based consoles and spawn administrative processes
Sigma rule & cross-platform mapping
The detection logic for Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) (CVE-2026-11645) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-11645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell
Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled
- Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance
Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt
- Test 3Simulate Outbound C2 Connection from Browser Process Context
Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry
- Test 4Renderer Process Writing Executable to Unexpected Path
Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location
Unlock Pro Content
Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.