Google has released emergency security updates to patch two high-severity Chrome vulnerabilities being actively exploited in zero-day attacks, affecting an estimated 3.5 billion users worldwide.
“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild,” the company stated in a security advisory published Thursday.
The Vulnerabilities
CVE-2026-3909 stems from an out-of-bounds write weakness in Skia, Google’s open-source 2D graphics library responsible for rendering web content and user interface elements. Attackers can exploit this flaw to crash the browser or achieve arbitrary code execution on target systems.
CVE-2026-3910 is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine—the core component that executes JavaScript code in Chrome. V8 vulnerabilities are particularly dangerous as they can enable sandbox escapes and remote code execution.
Rapid Response
Google discovered and patched both security flaws within two days of initial reporting, demonstrating the company’s accelerated response to in-the-wild exploitation. Updated versions are now rolling out:
- Windows: 146.0.7680.75
- macOS: 146.0.7680.76
- Linux: 146.0.7680.75
While the out-of-band update could take days or weeks to reach all users, manual checks show updates are already available.
Details Under Wraps
Google has not disclosed technical details about the exploitation methods, stating: “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
This controlled disclosure approach prevents attackers from weaponizing vulnerability details before patches propagate across the user base.
2026 Zero-Day Tally
These are the second and third actively exploited Chrome zero-days patched since January 2026. The first, CVE-2026-2441, addressed an iterator invalidation bug in CSSFontFeatureValuesMap and was fixed in mid-February.
For comparison, Google fixed eight zero-days exploited in the wild throughout 2025, many discovered by Google’s Threat Analysis Group (TAG) while tracking spyware operations.
Recommended Actions
Update Chrome immediately. Navigate to Settings → About Chrome, or let the browser auto-update and restart. Organizations should prioritize pushing this update through enterprise management tools given the active exploitation.
The rapid weaponization of browser vulnerabilities underscores why keeping browsers patched remains one of the most critical security hygiene practices for both individuals and enterprises.
