Detect Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) in IBM QRadar
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip, destinationip, username,
"processPath" AS ParentProcess,
"childProcessPath" AS ChildProcess,
"commandLine" AS CommandLine,
LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND LOWER("processPath") MATCHES '.*?(chrome|msedge|brave|vivaldi|opera)\.exe.*'
AND LOWER("childProcessPath") MATCHES '.*?(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|schtasks|certutil|bitsadmin)\.exe.*'
AND starttime > '2026-06-09 00:00:00'
ORDER BY starttime DESC
LIMIT 1000QRadar AQL query identifying Chromium browser processes spawning high-risk system utilities, a key indicator of CVE-2026-11645 post-exploitation activity. Filters to events after the vulnerability disclosure date.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise browser management and kiosk software
- Browser-based IT administration portals that launch native management tools
- Developer tools and browser automation frameworks
- Security testing tools performing authorized browser-based assessments
Other platforms for CVE-2026-11645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell
Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled
- Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance
Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt
- Test 3Simulate Outbound C2 Connection from Browser Process Context
Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry
- Test 4Renderer Process Writing Executable to Unexpected Path
Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location
Unlock Pro Content
Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.