Phone us
Security updates are only effective if organisations can confirm they have been applied. This article looks at what the latest Google Chrome vulnerability teaches us about patch management, asset visibility and the importance of verifying that security controls are working as intended.

In June 2026, Google released an emergency security update to address CVE-2026-11645, a high-severity vulnerability affecting the Chrome browser’s V8 JavaScript engine. Google confirmed that the vulnerability was being actively exploited before a fix became available, making it the fifth Chrome zero-day vulnerability addressed by the company during 2026.

For many organisations, the response was simple. Chrome updates automatically, problem solved.

Unfortunately, cyber security is rarely that straightforward.

The latest Chrome vulnerability highlights a challenge that extends far beyond web browsers. Many organisations assume that because security updates are available, they are protected. In reality, the most important question is not whether a patch exists, but whether it has actually been deployed across every affected system.

The Real Problem Is Not the Vulnerability

Security vulnerabilities are discovered every day. According to the National Vulnerability Database, hundreds of new vulnerabilities are disclosed each month across operating systems, applications, cloud services and network infrastructure.

The existence of vulnerabilities is therefore not unusual. What determines organisational risk is how quickly those vulnerabilities can be identified, prioritised and remediated.

The recent Chrome vulnerability is a good example. The flaw allowed attackers to perform out-of-bounds memory operations within Chrome’s V8 engine, potentially enabling arbitrary code execution inside the browser’s sandbox through a specially crafted web page.

Google responded quickly by releasing patches. However, releasing a patch and deploying a patch are two very different things.

Why Automatic Updates Create a False Sense of Security

Modern software vendors have invested heavily in automated update mechanisms. Browsers, operating systems and cloud services are increasingly designed to update themselves with minimal user involvement. This is undoubtedly a positive development. However, automatic updates do not eliminate the need for oversight.

Devices may be offline when updates are released. Users may delay browser restarts. Contractors may operate unmanaged devices. Suppliers may access systems using equipment that falls outside the organisation’s control.

As a result, organisations often discover that supposedly remediated vulnerabilities remain present across parts of their environment. From a governance perspective, this creates a significant challenge. A control cannot be considered effective simply because it has been configured. It must be monitored and verified.

The Three Questions Every Organisation Should Be Able to Answer

When assessing vulnerability management programmes, three questions consistently separate mature organisations from those relying on assumptions:

Do we know which assets we own?

Can we identify which assets are vulnerable?

Can we prove that remediation has been completed?

Many organisations can answer the first question with reasonable confidence. Fewer can answer the second comprehensively. Even fewer can provide evidence supporting the third. Without clear visibility of assets, software versions and remediation activities, automatic updates become a matter of trust rather than assurance.

What Auditors Want to See

This distinction becomes particularly important during cyber security audits and compliance assessments. Whether the assessment relates to ISO 27001, SWIFT CSP or broader operational resilience requirements, auditors are generally less interested in whether an update mechanism exists, and more interested in whether the organisation can demonstrate control effectiveness.

Evidence often includes asset inventories, vulnerability reports, patch deployment records, exception management processes and management oversight. Policies and procedures are important, but evidence is what demonstrates compliance.

The organisations that perform best during audits are rarely those with the most sophisticated technology. They are usually the organisations that can clearly demonstrate visibility, accountability and governance.

From Patch Management to Cyber Resilience

The broader lesson from the Chrome vulnerability is that cyber security is not solely a technical discipline. It is increasingly a governance and resilience challenge. Attackers do not care whether an organisation has an automatic update policy. They care whether vulnerable systems still exist.

As organisations become more dependent on cloud services, remote working and third-party suppliers, maintaining visibility over technology assets becomes significantly more difficult. The ability to identify and remediate vulnerabilities is therefore becoming a key measure of operational resilience.

How AJC Can Help

At AJC, we help organisations understand and strengthen their approach to cyber security, governance and operational resilience.

Our team can support organisations with vulnerability assessments, penetration testing, Cyber Essentials and Cyber Essentials Plus readiness, SWIFT CSP assurance, risk management and governance reviews. This can help organisations identify where vulnerabilities may exist, assess whether patch management processes are effective, and understand whether controls are operating as intended.

We can also help organisations review the evidence needed to demonstrate control effectiveness during audits and compliance assessments. By taking a practical, risk-based approach, AJC supports organisations in moving beyond assumed protection and towards greater visibility, assurance and resilience.

Conclusion

The recent Chrome zero-day vulnerability should serve as a reminder that security updates are only one part of the solution. Automatic updates remain an important control and should be enabled wherever possible.

However, they are not a cyber security strategy. A mature security programme requires visibility, verification and assurance. Organisations must be able to identify vulnerable assets, confirm remediation and demonstrate that controls are operating as intended.

Ultimately, cyber resilience is not defined by whether patches are available. It is defined by whether organisations can prove that they have been applied.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html

https://nvd.nist.gov/vuln/detail/CVE-2026-11645

https://www.securityweek.com/google-patches-5th-chrome-zero-day-exploited-in-2026/

https://www.helpnetsecurity.com/2026/06/09/google-chrome-zero-day-cve-2026-11645/

https://thehackernews.com/2026/06/chrome-v8-zero-day-cve-2026-11645.html

Image accreditation: Zulfugar Karimov (November 2025) from Unsplash.com. Last accessed on 8 July 2026. Available at: https://unsplash.com/photos/google-chrome-app-displayed-on-a-smartphone-screen-_SbX-iIRWf0

In case you missed it...

Compliance Cyber Attack
Why Compliance Alone Won’t Stop a...

Compliance with recognised cyber security standards is an important part of managing risk, but it should not be mistaken for...

Read More
Dashlane Password Vault Incident
What Businesses Can Learn from the...

A recent Dashlane security incident has raised important questions about password managers, master passwords and authentication controls. This article looks...

Read More
natasha cummings
Meet Natasha Cummings, Risk and Fraud...

In this series, we introduce the people behind AJC and the experience they bring to the business. In this profile,...

Read More

Get in touch

    By submitting this form you are consenting that your data be handled in accordance with our Privacy Notice and we will be in touch regarding your enquiry.