Google CVE-2026-11645 Added to CISA KEV Under Active Exploitation

Key findings

• CISA added Google vulnerability CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026.
• The vulnerability is confirmed to be actively exploited in the wild by threat actors.
• There is currently no confirmed association between CVE-2026-11645 and active ransomware campaigns.
• Federal agencies and private organizations must prioritize patching the flaw to prevent potential compromise.

The Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog on June 9, 2026, adding a single security flaw affecting Google products. Tracked as CVE-2026-11645, the vulnerability has been observed in active exploitation, posing a significant risk to organizations relying on the affected software.

While specific technical details regarding the exploitation vector are often closely guarded during initial mitigation phases, the inclusion of CVE-2026-11645 in the KEV catalog indicates that threat actors are actively leveraging this flaw to compromise systems. Google has addressed the issue, and administrators are urged to verify that their environments are running patched versions.

At this time, there is no official confirmation linking CVE-2026-11645 to known ransomware campaigns. However, unpatched vulnerabilities in widely deployed Google technologies frequently become prime targets for a broad spectrum of threat actors, ranging from state-sponsored groups to opportunistic cybercriminals.

In accordance with Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies are required to apply the necessary updates by the specified CISA due date, typically three weeks from the addition. For private sector organizations, CISA strongly recommends prioritizing this patch immediately to mitigate the risk of unauthorized access or execution.