Chrome Zero-Day Exploited in 2026

CVE-2026-2783 | CVSS v3: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Patch boundary: Chrome < 138.0.7204.68. Fixed June 12, 2026. Affects Windows, macOS, Linux.

The primitive is type confusion in V8’s Turbofan JIT compiler. During speculative optimization of polymorphic inline caches, Turbofan fails to invalidate stale type feedback when an object undergoes a property-transition that changes its hidden class. The engine retains a Map pointer typed as JSArray while the underlying object has transitioned to JSObject layout. That mismatch produces a controlled out-of-bounds read/write on the V8 heap. From that primitive an attacker constructs addrof and fakeobj gadgets using ArrayBuffer backing-store manipulation, then corrupts a WASM memory region to reach arbitrary code execution inside the sandboxed renderer. The full chain executes on a single navigation event — no user interaction, no file written to disk, no process spawned outside chrome.exe --type=renderer during the initial access stage. T1189 (Drive-by Compromise), T1059.007 (JavaScript), T1203 (Exploitation for Client Execution).

Delivery infrastructure used fast-flux DNS with 15-minute TTLs pushed through a third-party recursive resolver to frustrate static blocklist coverage. The C2 domains share a registrar pattern and hosting ASN with phishing infrastructure active since January 2026 — bulk-registered via a privacy-proxy registrar with a high-volume hosting provider in AS202425. The actor reused this ASN across the January campaign. Attribution remains unconfirmed as of patch date.

Telemetry picture: Sysmon EID 1 fires on the renderer spawn — chrome.exe --type=renderer with an elevated open-handle count and command-line flags inconsistent with normal renderer initialization. Useful only in correlation; renderer spawns are high-volume noise in isolation. The high-fidelity signal is Sysmon EID 3: outbound HTTPS initiated directly from the renderer process to an IP with no corresponding prior navigation event in proxy logs. Renderers do not originate independent network connections under normal V8 operation — this event pattern has a low false-positive rate when scoped to renderer process type. Sysmon EID 10 appears if a sandbox escape follows: cross-process memory access from a renderer instance targeting a non-browser process. Windows Security EID 4688 enters the chain only if a secondary payload is staged post-escape and spawns a child process. Most EDR platforms suppress JIT-region RWX allocation alerts due to V8’s legitimate code emission behavior; without correlation against the EID 3 network event, confidence stays low. SIEM evasion is structural — renderer-to-network HTTPS is indistinguishable from normal browser traffic on content alone. Detection requires behavioral baselining of renderer network initiation, not signature matching.

Observed exploitation targeted finance and critical infrastructure organizations. The intrusion set operated fileless through the confirmed attack window: no registry writes, no service installation, no persistence mechanism recovered. Either a reconnaissance-first stage or a deliberate decision to suppress the persistence loader pending target validation. In cases where sandbox escape did not follow, compromise scope was bounded to in-renderer data: session storage, cached credentials in the renderer process, DOM state of visited pages.

Detection priority, in order: alert on renderer processes initiating outbound connections to IPs absent from the session’s established navigation set — false-positive rate is low when the rule is scoped to --type=renderer command-line strings. Second, correlate Sysmon EID 10 cross-process access events originating from any renderer instance against concurrent anomalous network events from that same PID. Third, block or alert on domains matching the AS202425 hosting pattern tied to the January 2026 phishing infrastructure; indicators are available in commercial threat intel feeds as of Q1 2026.

Update to Chrome >= 138.0.7204.68. Enterprise update policies running 4-week staged testing cycles absorbed the entire confirmed exploitation window. An emergency exception process for vulnerabilities with in-the-wild exploitation is not optional operational hygiene — it is the gap this incident exposed. If that process does not exist, build it before the next zero-day presents the same question.