MultiApp-CVE-2026-11645

Lookout Coverage and Recommendation for Admins

Lookout is scheduled to release security coverage for MultiApp-CVE-202611645 affecting Google Chrome for Android and Microsoft Edge for Android on June 23, 2026. Once the coverage is deployed, the platform will automatically generate alerts and initiate workflows in accordance with each administrator’s configured risk thresholds, response policies, and escalation procedures.

To ensure devices are protected, Lookout administrators should take the following actions within the Lookout console:

Enable the Application Vulnerability policy to detect vulnerable browser versions. Because MultiApp-CVE-2026-11645 is actively exploited in the wild, Lookout recommends setting the severity to High and considering blocking access to work data until affected browsers are updated.
Remediate all devices with Google Chrome for Android versions prior to 149.0.7827.102. Microsoft Edge for Android versions prior to 149.0.4022.67.
Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from phishing campaigns and malicious websites designed to exploit browser vulnerabilities, steal credentials, or deliver malicious payloads.

Overview

An anonymous security researcher recently disclosed an actively exploited vulnerability in the V8 JavaScript and WebAssembly engine used by Chromium-based browsers. Tracked as MultiApp-CVE-2026-11645, the vulnerability is an out-of-bounds read/write flaw that affects mobile browsers built on Chromium, including Google Chrome, and Microsoft Edge.

Successful exploitation could allow a remote attacker to achieve arbitrary code execution within the browser sandbox by convincing a user to visit a malicious or specially crafted webpage. Google has confirmed that an exploit for this vulnerability exists in the wild. As a result, the vulnerability has been assigned a CVSS score of 8.8 (High).

Google has released a patch for Chrome for Android in version 149.0.7827.102 and later, and for Microsoft Edge for Android in version 149.0.4022.67 and later. Devices running versions below these thresholds may be vulnerable and should be updated immediately.

U.S. federal agencies following Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) guidance are required to remediate MultiApp-CVE-2026-11645 by June 23, 2026. While this mandate applies specifically to federal systems, enterprise organizations are strongly encouraged to follow the same remediation timeline due to confirmed active exploitation.

Lookout Analysis

This vulnerability poses a high risk because it allows arbitrary code execution within the browser sandbox. Successful exploitation could expose sensitive information accessible to the browser, including session cookies, authentication tokens, enterprise credentials, and personally identifiable information (PII). Depending on the user's privileges and browser context, exploitation may also enable unauthorized actions on behalf of the user.

The exploitation of MultiApp-CVE-2026-11645 generally follows these stages:

Luring: The user is directed to a malicious or specially crafted webpage.
Triggering: The browser processes attacker-controlled content that invokes the vulnerable V8 JavaScript engine.
Memory Corruption: An out-of-bounds read/write condition causes memory corruption within the browser process.
Exploitation: The attacker achieves arbitrary code execution within the browser sandbox and gains access to browser-resident data, such as session tokens, cookies, and authentication artifacts.
Post-Exploitation: The attacker may conduct credential theft, session hijacking, malware delivery, or other malicious activities.