V8 again. CVE-2026-11645 is an out-of-bounds read and write in Chrome's JavaScript engine, reported April 27 and patched June 9 after Google confirmed active exploitation. The fix ships as 149.0.7827.102/.103 on Windows and macOS, and .102 on Linux. Technical details are being withheld until the update reaches enough of the install base — standard practice, though it rarely buys more than a few days. The $55,000 bug bounty signals Google considers this a meaningful find. This is the fifth Chrome zero-day Google has patched in 2026. That pace keeps V8 near the top of every browser attack surface list, and it is worth noting that Apple separately patched two zero-days described as tied to the same Chrome flaw — suggesting coordinated disclosure across the two codebases. Update now; there is nothing to evaluate here.