Chrome Zero-Day in KEV Catalog Exposes Systemic Browser and Network Exposure Risks

CISA's addition of CVE-2026-11645 to the KEV catalog underscores an urgent shift in adversary tactics, where Chrome's V8 engine is now a direct vector for sandbox escapes that bypass traditional perimeter defenses. This out-of-bounds read/write flaw enables remote code execution via crafted HTML, aligning with observed patterns in campaigns by state-linked groups that chain browser exploits with network device weaknesses. The inclusion of Cisco's SD-WAN command execution bug and Arista's unpatched EOS tunnel decapsulation issue reveals a coordinated targeting of both endpoints and core infrastructure. Original reporting understates the strategic implication: Arista's decision to skip patches on 7020R, 7280R, and 7500R series leaves VXLAN and GRE deployments permanently exposed, creating reliable pivot points once initial browser footholds are gained. Federal agencies face a June 23, 2026 deadline, yet private sector lag will extend the window for lateral movement. Cross-referenced intelligence shows similar Chrome V8 issues historically exploited within 60-90 days of disclosure, suggesting imminent compromise campaigns against unpatched enterprise browsers. This convergence of active exploitation and permanent network misconfigurations points to heightened risk for supply chain and critical infrastructure operators.