CVE-2026-11645 Elastic Security · Elastic

Detect Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) in Elastic Security

Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, process.parent.entity_id with maxspan=30s
  [process where event.type == "start"
   and process.name : ("chrome.exe", "msedge.exe", "brave.exe", "vivaldi.exe", "opera.exe")
   and process.parent.name != null]
  [process where event.type == "start"
   and process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                        "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe",
                        "certutil.exe", "bitsadmin.exe")
   and process.parent.name : ("chrome.exe", "msedge.exe", "brave.exe", "vivaldi.exe", "opera.exe")]
critical severity medium confidence

EQL sequence detection for browser-to-suspicious-child-process execution chains within a 30-second window, targeting post-exploitation patterns following CVE-2026-11645 V8 engine exploitation.

Data Sources

Elastic Endpoint SecurityWinlogbeatFilebeat with Sysmon module

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Browser-integrated development environments that spawn shell processes
  • Enterprise software suites using browser UIs to launch native applications
  • Automated browser testing frameworks in CI/CD pipelines
  • Helpdesk and remote support tools launched via browser shortcuts

Other platforms for CVE-2026-11645

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell

    Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled

  2. Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance

    Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt

  3. Test 3Simulate Outbound C2 Connection from Browser Process Context

    Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry

  4. Test 4Renderer Process Writing Executable to Unexpected Path

    Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1059.007JavaScriptT1055Process Injection

Same Tactic: Initial Access

Popular Detections