CVE-2026-3909

Google has patched two high-severity Chrome zero-days being actively exploited in the wild — CVE-2026-3909, an out-of-bounds write in the Skia graphics library, and CVE-2026-3910, an inappropriate implementation flaw in the V8 JavaScript engine. Both carry a CVSS score of 8.8. Update Chrome to version 146.0.7680.75 immediately.

Severity

high

CVSS Score

8.8 / 10

Exploitation

Actively exploited

Published

Mar 13, 2026

Affected Products

›Google Chrome on Windows — versions prior to 146.0.7680.75
›Google Chrome on macOS — versions prior to 146.0.7680.76
›Google Chrome on Linux — versions prior to 146.0.7680.75
›All Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) pending upstream patch integration

Full Analysis

Google Patches Two Chrome Zero-Days Actively Exploited in the Wild — Skia and V8 Engine Both Affected

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles