Google has swiftly rolled out emergency security updates to address two significant vulnerabilities in Chrome that are currently being exploited in zero-day attacks. In a security advisory published on Thursday, the tech giant confirmed, “Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild.”
The first vulnerability, labeled CVE-2026-3909, arises from an out-of-bounds write flaw within Skia, an open-source 2D graphics library that handles rendering for web content and user interfaces. Attackers could potentially leverage this weakness to crash the browser or even execute arbitrary code. The second vulnerability, CVE-2026-3910, is linked to an inappropriate implementation within the V8 JavaScript and WebAssembly engine.
Both vulnerabilities were identified and patched within just two days of being reported, with new versions of Chrome released for users on Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75). While Google indicated that it may take time for all users to receive the out-of-band update, it was readily available for installation when BleepingComputer checked for updates earlier today.
Users who prefer not to update their browsers manually have the option to enable automatic updates, ensuring their browser installs the latest security patches during the next launch.
Despite confirming active exploitation of the zero-day flaws, Google refrained from providing further details on specific incidents. The company stated, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.” This policy may also apply if the vulnerabilities are present in third-party libraries dependent on unresolved issues.
These newly addressed vulnerabilities mark the second and third actively exploited Chrome zero-days resolved in 2026. Earlier this year, CVE-2026-2441, an iterator invalidation bug in the CSSFontFeatureValuesMap, was patched in mid-February. Last year alone, Google tackled eight zero-days that were being actively exploited, many of which were reported by its Threat Analysis Group (TAG), a team dedicated to tracking such security issues linked to spyware attacks.
On the same day, Google revealed that in 2025, it had distributed over $17 million to 747 security researchers through its Vulnerability Reward Program (VRP) for reporting security flaws.
As the landscape of online threats evolves, it is crucial for users to remain vigilant and ensure their browsers are up-to-date. The rapid deployment of these security updates underscores the growing sophistication of cyber threats and the importance of proactive measures to protect sensitive information and user privacy.
Original Source: https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/
Category :
Tags:
Publish Date: 2026-03-13 12:26:00
