Google has released an emergency security update for its Chrome browser addressing two high-severity zero-day vulnerabilities that are already being exploited in the wild. The flaws affect core browser components the Skia graphics library and the V8 JavaScript engine and could allow attackers to execute malicious code through crafted web content.
The vulnerabilities tracked as CVE-2026-3909 and CVE-2026-3910 both carry CVSS scores of 8.8, indicating a high level of risk. Google confirmed that active exploitation has been observed but has deliberately withheld technical details to prevent additional threat actors from weaponizing the flaws.
Organizations should immediately update Chrome to version 146.0.7680.75/76 or later and ensure that other Chromium-based browsers are patched once updates become available.
The Vulnerabilities
CVE-2026-3909 — Out-of-Bounds Write in Skia Graphics Engine
Severity: High (CVSS 8.8)
The first vulnerability affects Skia, the 2D graphics rendering library used by Chrome to draw web content, UI elements, and graphics operations.
Technical Details
An out-of-bounds write condition occurs when a program writes data outside the allocated memory buffer. This memory corruption can allow attackers to overwrite adjacent memory regions, potentially enabling arbitrary code execution.
In this case:
- The vulnerability can be triggered via a specially crafted HTML page.
- The malicious page manipulates graphical rendering routines handled by Skia.
- The exploit leads to memory corruption, allowing attackers to control program execution.
Attack Scenario
- Victim visits a malicious website or compromised webpage.
- The page contains specially crafted graphical content.
- Skia processes the content incorrectly.
- Memory corruption occurs.
- The attacker gains control of the browser process.
This type of vulnerability is commonly used as the initial stage of browser exploitation chains.
CVE-2026-3910: Sandbox Code Execution in V8 Engine
Severity: High (CVSS 8.8)
The second vulnerability affects V8, the high-performance JavaScript and WebAssembly engine used by Chrome.
Technical Details
The vulnerability stems from an inappropriate implementation within V8, which can allow attackers to execute arbitrary code within the browser sandbox.
Although sandbox execution limits direct system access, attackers often combine such vulnerabilities with sandbox escape exploits to achieve full system compromise.
The flaw can be triggered through malicious JavaScript embedded in a crafted HTML page.
Why V8 Vulnerabilities Are Dangerous
V8 processes:
- JavaScript execution
- WebAssembly workloads
- Web application logic
- Browser extensions
Because V8 handles untrusted web code, it is one of the most frequently targeted components in browser exploitation campaigns.
Active Exploitation in the Wild
Google confirmed that both vulnerabilities are already being exploited, but the company has not disclosed:
- exploitation techniques
- threat actors involved
- targeted sectors
This restricted disclosure is a standard defensive practice used to delay widespread weaponization until users have time to apply patches.
Security researchers believe these types of Chrome zero-days are commonly used in:
- targeted espionage campaigns
- spyware deployments
- drive-by download attacks
- exploit kit frameworks
Chrome Zero-Day Trend in 2026
The latest vulnerabilities continue a worrying trend.
Since the beginning of 2026, Google has patched three Chrome zero-days exploited in the wild, including:
| CVE | Component | Severity | Status |
|---|---|---|---|
| CVE-2026-2441 | CSS Engine | 8.8 | Exploited |
| CVE-2026-3909 | Skia Graphics | 8.8 | Exploited |
| CVE-2026-3910 | V8 JavaScript Engine | 8.8 | Exploited |
Browser exploitation remains one of the most effective initial access vectors used by advanced threat actors.
CISA Adds Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
This means:
- Exploitation is confirmed in real-world attacks
- Federal agencies must patch within strict deadlines
Remediation Deadline
Federal Civilian Executive Branch (FCEB) agencies must apply fixes by:
March 27, 2026
Organizations outside government environments should treat this as a critical patching priority.
Affected and Patched Versions
The vulnerabilities affect Chrome versions prior to the following releases:
| Platform | Secure Version |
|---|---|
| Windows | 146.0.7680.76 |
| macOS | 146.0.7680.76 |
| Linux | 146.0.7680.75 |
Users can update Chrome via:
Menu → Help → About Google Chrome → Relaunch
Chromium-Based Browsers Also Impacted
Because Chrome is the foundation of many browsers, the vulnerabilities also affect:
- Microsoft Edge
- Brave
- Opera
- Vivaldi
These vendors must integrate Chromium patches into their own releases, which may cause slight update delays.
Organizations should monitor vendor advisories and deploy updates as soon as they become available.
Enterprise Security Recommendations
Security teams should take the following actions immediately.
1. Patch Browsers
Deploy Chrome version 146.0.7680.75/76 or later across all endpoints.
2. Enforce Automatic Updates
Ensure enterprise policy enables:
Chrome Automatic Updates
3. Monitor Browser Exploitation Indicators
SOC teams should watch for:
- suspicious browser crashes
- abnormal renderer process activity
- unusual WebAssembly execution
- memory corruption alerts from EDR
4. Harden Browser Environments
Recommended controls:
- disable unnecessary browser extensions
- enforce site isolation policies
- enable Safe Browsing enterprise features
- monitor browser process behavior in EDR
5. Restrict High-Risk Browsing
Critical systems (admins, domain controllers, SOC workstations) should use:
- hardened browsers
- restricted internet access
- remote browsing isolation (RBI)
Why Browser Zero-Days Matter for CISOs
Modern attacks increasingly start with browser exploitation rather than email phishing.
Reasons include:
- browsers process large amounts of untrusted content
- exploit chains are highly reliable
- zero-click attacks are possible
- web-based spyware frameworks continue to evolve
Threat actors increasingly use browser vulnerabilities as an initial foothold before deploying malware or credential theft tools.
Conclusion
The discovery of two actively exploited Chrome vulnerabilities highlights the persistent threat posed by browser zero-days. With both vulnerabilities allowing exploitation through malicious web pages, organizations face a significant risk of compromise if systems remain unpatched.
Rapid patching, browser hardening, and SOC monitoring remain essential defensive measures.
Security teams should treat this update as high priority, especially given CISA’s decision to add both vulnerabilities to the KEV catalog.