Technical description
An out-of-bounds read and write vulnerability in V8, Chrome's JavaScript and WebAssembly engine, allows remote attackers to execute arbitrary code inside the browser sandbox via a crafted HTML page. Google confirmed active exploitation and shipped a patch in Chrome 149.0.7827.102/103. CISA added the CVE to its KEV catalog on June 9, 2026. V8 vulnerabilities are of elevated concern for AI-adjacent environments because browser-based LLM interfaces, WebGPU model inference, and Electron-based AI coding agents (Cursor, Claude Code desktop) all run atop Chromium/V8.
Attack vector
A victim visits an attacker-controlled or compromised webpage; the crafted JavaScript triggers the out-of-bounds memory access in V8, achieving code execution inside the Chrome renderer sandbox. Threat actors likely chain with a sandbox escape for full device compromise.
Affected systems
Google Chrome prior to version 149.0.7827.103 on Windows/macOS and 149.0.7827.102 on Linux; also Microsoft Edge, Brave, Opera, Vivaldi, and any Chromium-based browser or Electron application that has not yet received the update — including AI coding agents built on Electron.
Mitigation
Update Chrome to 149.0.7827.102/.103 immediately; do not wait for auto-update. Enterprise teams should push the update via policy and verify running processes have restarted. Electron-based AI coding tools (Cursor, Claude Code desktop app, VS Code) maintain their own Chromium builds and must be updated independently — check each vendor's release notes.