Google has released emergency security updates to fix two high-severity vulnerabilities in Chrome that are being actively exploited in the wild. These are the second and third Chrome zero-days patched in 2026, highlighting the continued targeting of browser vulnerabilities by threat actors.
The Vulnerabilities
The two zero-days—CVE-2026-3909 and CVE-2026-3910—target core components of the Chrome browser:
CVE-2026-3909: Out-of-Bounds Write in Skia
This vulnerability affects Skia, Chrome’s open-source 2D graphics library responsible for rendering web content and user interface elements. The out-of-bounds write flaw could allow attackers to crash the browser or achieve arbitrary code execution—a critical severity that could lead to full system compromise.
CVE-2026-3910: Inappropriate Implementation in V8
The second flaw exists in Chrome’s V8 JavaScript and WebAssembly engine. Inappropriate implementation bugs in V8 have historically been leveraged for sandbox escapes and remote code execution, making this a high-priority patch.
Rapid Response
Google discovered both vulnerabilities internally and moved swiftly to address them, patching within two days of discovery. Fixed versions are now available:
- Windows: 146.0.7680.75
- macOS: 146.0.7680.76
- Linux: 146.0.7680.75
Why It Matters
Browser zero-days represent prime targets for both nation-state actors and cybercriminals:
- Spyware Operations: Google’s Threat Analysis Group (TAG) frequently identifies Chrome zero-days used in targeted spyware campaigns
- Drive-by Downloads: Browser vulnerabilities enable attacks without user interaction beyond visiting a malicious page
- Widespread Impact: Chrome holds over 65% browser market share, making any zero-day a high-value target
In 2025, Google patched eight Chrome zero-days exploited in the wild. The 2026 pace suggests threat actors continue prioritizing browser exploitation.
Recommended Actions
Organizations and individuals should:
- Update Immediately: Navigate to
chrome://settings/helpto force an update check - Enable Auto-Updates: Ensure Chrome updates automatically at launch
- Monitor Endpoints: Enterprise security teams should verify patch deployment across managed devices
- Review Browser Policies: Consider restricting JavaScript execution on untrusted sites where feasible
Google has restricted access to technical details until the majority of users have updated, a standard practice to prevent widespread exploitation.
Source: BleepingComputer
