Detect Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) in Splunk
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
MITRE ATT&CK
SPL Detection Query
index=windows (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1) OR (sourcetype=wineventlog EventCode=4688)
| eval parent=lower(coalesce(ParentImage, ParentProcessName))
| eval child=lower(coalesce(Image, NewProcessName))
| where match(parent, "(chrome|msedge|brave|vivaldi|opera)\.exe")
| where match(child, "(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32|schtasks|certutil|bitsadmin)\.exe")
| eval risk_score=case(
match(CommandLine, "(?i)(invoke-|encodedcommand|-enc |iex |downloadstring)"), 3,
match(CommandLine, "(?i)(http[s]?://|ftp://|curl|wget)"), 2,
true(), 1
)
| table _time, host, user, parent, child, CommandLine, risk_score
| sort -risk_score, -_timeSplunk query detecting suspicious child process spawning from Chromium-based browsers, indicative of V8 OOB exploitation (CVE-2026-11645). Uses Sysmon Event ID 1 or Windows Security Event 4688 for process creation telemetry.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise browser management solutions that legitimately spawn admin tools from browser context
- Developer toolchains using browser-integrated build systems
- Automated QA and CI/CD pipelines that instrument browsers via Selenium or similar
- Help desk software using browser-based remote administration consoles
Other platforms for CVE-2026-11645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell
Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled
- Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance
Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt
- Test 3Simulate Outbound C2 Connection from Browser Process Context
Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry
- Test 4Renderer Process Writing Executable to Unexpected Path
Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location
Unlock Pro Content
Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.