Detect Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) in Google Chronicle
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_11645_chromium_v8_exploit {
meta:
author = "df00tech Detection Engineering"
description = "Detects potential exploitation of CVE-2026-11645 Chromium V8 OOB via suspicious child process spawning"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-11645"
events:
$parent.metadata.event_type = "PROCESS_LAUNCH"
$parent.principal.process.file.full_path = /(?i)(chrome|msedge|brave|vivaldi|opera)\.exe/
$child.metadata.event_type = "PROCESS_LAUNCH"
$child.principal.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|schtasks|certutil|bitsadmin)\.exe/
$child.target.process.parent_process.file.full_path = /(?i)(chrome|msedge|brave|vivaldi|opera)\.exe/
$parent.metadata.event_timestamp.seconds < $child.metadata.event_timestamp.seconds
$child.metadata.event_timestamp.seconds - $parent.metadata.event_timestamp.seconds <= 30
match:
$child.principal.hostname over 5m
outcome:
$risk_score = 85
$hostname = $child.principal.hostname
$username = $child.principal.user.userid
$child_process = $child.principal.process.file.full_path
$parent_process = $child.target.process.parent_process.file.full_path
$cmdline = $child.principal.process.command_line
condition:
$parent and $child
}Chronicle YARA-L 2.0 rule correlating Chromium browser process events with subsequent suspicious child process launches within a 30-second window, indicating potential CVE-2026-11645 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Browser-based enterprise administration tools spawning command-line utilities
- Developer workflow automation triggered from browser IDEs
- Security testing and penetration testing tools using browser exploitation frameworks
- Scripted browser automation in CI/CD or QA environments
Other platforms for CVE-2026-11645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell
Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled
- Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance
Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt
- Test 3Simulate Outbound C2 Connection from Browser Process Context
Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry
- Test 4Renderer Process Writing Executable to Unexpected Path
Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location
Unlock Pro Content
Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.