Detect Google Chromium V8 Out-of-Bounds Read and Write Vulnerability (CVE-2026-11645) in Sumo Logic CSE
Detects exploitation attempts targeting CVE-2026-11645, an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation can lead to arbitrary code execution in the context of the browser process, enabling sandbox escape, credential theft, and further compromise.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where (EventID = "1" or EventID = "4688")
| where (
(toLowerCase(ParentImage) matches "*chrome.exe*") OR
(toLowerCase(ParentImage) matches "*msedge.exe*") OR
(toLowerCase(ParentImage) matches "*brave.exe*") OR
(toLowerCase(ParentImage) matches "*vivaldi.exe*") OR
(toLowerCase(ParentImage) matches "*opera.exe*")
)
| where (
(toLowerCase(Image) matches "*cmd.exe*") OR
(toLowerCase(Image) matches "*powershell.exe*") OR
(toLowerCase(Image) matches "*mshta.exe*") OR
(toLowerCase(Image) matches "*wscript.exe*") OR
(toLowerCase(Image) matches "*rundll32.exe*") OR
(toLowerCase(Image) matches "*certutil.exe*")
)
| fields _messageTime, Computer, User, ParentImage, Image, CommandLine
| sort by _messageTime descSumo Logic query targeting suspicious child process spawning from Chromium-based browsers as an indicator of CVE-2026-11645 exploitation. Covers Sysmon and Windows Security event sources.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise password managers or SSO tools integrated with browser context
- Browser automation tools used in QA or development pipelines
- IT support consoles that spawn administrative tools via browser interface
- Legitimate user actions invoking system tools from browser-based terminals
Other platforms for CVE-2026-11645
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate V8 Exploitation via Browser-Spawned PowerShell
Expected signal: Sysmon Event ID 1 with PowerShell.exe spawning with -EncodedCommand flag; parent process visible in PPID chain; Windows Security Event 4688 if command-line auditing enabled
- Test 2Browser Renderer Process Spawning cmd.exe for Reconnaissance
Expected signal: Windows Security Event 4688 or Sysmon Event ID 1 showing cmd.exe spawned with reconnaissance commands; process parent visible in telemetry; file creation event for test_spawn.txt
- Test 3Simulate Outbound C2 Connection from Browser Process Context
Expected signal: Network connection attempt on port 4444 to non-RFC1918 IP from the process; DNS resolution attempt if hostname used; Sysmon Event ID 3 (network connection) or equivalent EDR network telemetry
- Test 4Renderer Process Writing Executable to Unexpected Path
Expected signal: Sysmon Event ID 11 (file created) showing .exe file written to C:\Users\Public\ by PowerShell; file hash telemetry; MZ header written to unexpected location
Unlock Pro Content
Get the full detection package for CVE-2026-11645 including response playbook, investigation guide, and atomic red team tests.