Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two high-severity zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910, that are being exploited in the wild. Advisory reporting says the flaws can enable data manipulation and security restriction bypass, prompting a high-risk assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes.
Technical reporting identifies CVE-2026-3909 as an out-of-bounds write in Skia, Chrome’s graphics library, and CVE-2026-3910 as an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for Windows 146.0.7680.75, macOS 146.0.7680.76, and Linux 146.0.7680.75. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
Timeline
Mar 13, 2026
CISA adds both Chrome flaws to the KEV catalog
CISA updated its Known Exploited Vulnerabilities Catalog to add CVE-2026-3909 and CVE-2026-3910 as known exploited vulnerabilities. The agency set a remediation deadline of 2026-03-27 and directed organizations to apply vendor mitigations or discontinue use if mitigations were unavailable.
Mar 13, 2026
Google releases emergency Chrome updates for CVE-2026-3909 and CVE-2026-3910
Google shipped Chrome Stable fixes for Windows, macOS, and Linux to address the two high-severity zero-days, with versions including 146.0.7680.75/76 for Windows and Mac and 146.0.7680.75 for Linux. The company said technical details would be withheld until most users had updated because the vulnerabilities were under active exploitation.
Mar 10, 2026
Google discovers two Chrome zero-day vulnerabilities
Google internally discovered CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Both flaws were later identified as being actively exploited in the wild.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
4 more from sources like register security, bleeping computer, cert hk security advisories and cisa kev data commits
Related Stories
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
1 months ago
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
1 months ago
Google Patches Actively Exploited Chrome Zero-Day CVE-2026-2441 in CSS
Google released an out-of-band *Chrome Stable* update to fix **CVE-2026-2441**, a high-severity, actively exploited zero-day caused by a **use-after-free in Chrome’s CSS processing**. The flaw allows a remote attacker to trigger **arbitrary code execution within Chrome’s sandbox** via a crafted HTML page, making drive-by exploitation feasible if a user visits a malicious or compromised site. The issue is scored **CVSS 8.8** and has been characterized as **extremely high risk** due to confirmed in-the-wild exploitation. The patched versions include **Chrome 145.0.7632.75** (and `.76` per platform guidance) for Windows and macOS, and **144.0.7559.75** for Linux; organizations should prioritize rapid browser updates across managed endpoints. Public reporting credits **Shaheen Fazim** with discovering and reporting the vulnerability (reported Feb 11, 2026), while Google has not disclosed exploit details, threat actor attribution, or targeting information beyond confirming that an exploit exists in the wild.
1 months ago