This is the fifth Chrome zero-day fixed so far in 2026. CVE-2026-11645 is an out-of-bounds read/write in V8 — Chrome's JavaScript engine — and Google confirmed active exploitation before the patch landed. The point release (149.0.7827.102 on Linux, .102/.103 on Windows and macOS) carries no new features, just the security fix. Auto-update will catch most consumer installs, but enterprise fleets that pin or stage Chrome versions need to push this one fast. Check your managed-device policy before assuming rollout is complete.