Google has released emergency security updates to address two high-severity vulnerabilities in Chrome that are being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 27, 2026.
The Vulnerabilities
The two critical flaws affect foundational browser components used across all Chromium-based browsers:
CVE-2026-3909 (CVSS 8.8): An out-of-bounds write vulnerability in the Skia 2D graphics library. This memory corruption flaw allows attackers to execute arbitrary code by tricking users into visiting a malicious webpage. Skia handles graphics rendering across Chrome, Edge, and other Chromium browsers, making this a widespread threat.
CVE-2026-3910 (CVSS 8.8): An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. This type confusion flaw enables attackers to bypass security boundaries and execute arbitrary code within the browser sandbox through a crafted HTML page.
Why It Matters
Both vulnerabilities were discovered by Google’s internal security team on March 10, 2026, with patches released just two days later—a rapid timeline that underscores the severity of active exploitation.
“Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild,” the company stated in its security advisory.
This marks the third actively exploited Chrome zero-day of 2026, following CVE-2026-2441 (a CSS use-after-free vulnerability) patched in February. The rapid pace of browser zero-days demonstrates that threat actors continue to invest heavily in browser exploitation as an initial access vector.
Affected Products
The vulnerabilities affect:
- Google Chrome — versions prior to 146.0.7680.75/76
- Microsoft Edge — versions prior to 126.0.2592.68
- All Chromium-based browsers — including Brave, Opera, Vivaldi, and others
The Skia vulnerability (CVE-2026-3909) presents additional complexity since Skia serves as a graphics backend for Android apps, Flutter applications, and various desktop software beyond browsers.
CISA KEV Catalog Requirements
CISA’s addition to the KEV catalog on March 13, 2026, carries specific requirements:
- Federal agencies: Must apply patches by April 3, 2026 (BOD 22-01 compliance)
- Private sector: Strongly recommended to treat KEV entries as highest-priority remediation items
Mitigation Steps
Organizations should take immediate action:
- Update Chrome to version 146.0.7680.75/76 (Windows/macOS) or 146.0.7680.75 (Linux)
- Update Microsoft Edge to version 126.0.2592.68 or later
- Verify automatic browser updates are enabled and functioning
- Prioritize updates for internet-facing systems
- Monitor for applications using embedded Chromium components
To check your Chrome version: Navigate to More > Help > About Google Chrome and select Relaunch after updates install.
Technical Implications
The browser-based nature of these vulnerabilities means traditional perimeter defenses offer limited protection. Attackers can deliver exploits through:
- Compromised legitimate websites
- Malvertising campaigns
- Watering hole attacks
- Phishing links
Once exploited, these flaws can serve as initial access vectors for ransomware deployment, data exfiltration, or lateral movement within enterprise networks.
Source: The Hacker News, Security Affairs
