CT
CyberTimes
← Back to Threat Watch
chromezero daycve 2026 3909CVE-2026-3909CVE-2026-3910March 13, 2026 · CyberTimes Security Team

Google Patches Two Chrome Zero-Days Actively Exploited in the Wild — Skia and V8 Engine Both Affected

Google has issued an emergency security update for Chrome to address two high-severity zero-day vulnerabilities that the company confirms are being actively exploited in the wild. Tracked as CVE-2026-

Severity🟠 HIGH
CVSS Score8.8/10
ExploitedYes — active
Fix StatusPatch available
Anyone running Google Chrome on Windows, macOS, or Linux on a version prior to 146.0.7680.75. This also affects all Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi that have not yet incorporated the same upstream patch.

Google has issued an emergency security update for Chrome to address two high-severity zero-day vulnerabilities that the company confirms are being actively exploited in the wild. Tracked as CVE-2026-3909 and CVE-2026-3910, both vulnerabilities carry a CVSS score of 8.8 and were discovered internally by Google on March 10, 2026 — just two days before patches were pushed to users. These are the second and third actively exploited Chrome zero-days patched in 2026, following CVE-2026-2441 which was addressed in mid-February. The attack vector in both cases is a maliciously crafted HTML page, meaning a user can be compromised simply by visiting a weaponized website — no download required, no additional interaction needed.

Affected products

  • ·Google Chrome on Windows — versions prior to 146.0.7680.75
  • ·Google Chrome on macOS — versions prior to 146.0.7680.76
  • ·Google Chrome on Linux — versions prior to 146.0.7680.75
  • ·All Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) pending upstream patch integration

How to Fix

Step-by-step remediation

The patched Chrome version — 146.0.7680.75 on Windows and Linux, 146.0.7680.76 on macOS — began rolling out on March 12, 2026. The rollout is gradual and may take days or weeks to reach all users automatically, but the update is available immediately for anyone who manually checks. Open Chrome, go to the three-dot menu in the top right corner, select Help, then About Google Chrome. Chrome will detect and download the available update automatically on this screen. Once downloaded, click Relaunch to apply it. If you never fully close Chrome and rely on tabs to reopen automatically, you may be running an older version without realising it — Chrome only applies updates at launch. Get into the habit of restarting your browser periodically, not just closing and reopening tabs. For organisations managing Chrome across a device fleet, push the update via your endpoint management platform immediately rather than waiting for automatic rollout.

What happened

CVE-2026-3909 is an out-of-bounds write vulnerability residing in Skia, the open-source 2D graphics library that Chrome uses to render images, text, fonts, and all visual elements across the browser interface and web content. Out-of-bounds write flaws occur when a program writes data beyond the boundaries of allocated memory. In a browser context this type of memory corruption is particularly dangerous — an attacker who can reliably trigger it may be able to corrupt adjacent memory regions, crash the browser, or gain arbitrary code execution on the victim's machine. CVE-2026-3910 is an inappropriate implementation vulnerability in V8, Chrome's high-performance JavaScript and WebAssembly engine. V8 processes JavaScript delivered by every website you visit, making it a high-value target because it is continuously fed attacker-controlled input during normal browsing. Implementation flaws in JavaScript engines frequently allow attackers to bypass sandbox constraints, manipulate memory during script execution, or achieve remote code execution through carefully constructed scripts embedded in malicious pages. Google has confirmed that exploits for both flaws exist and are being used in active attacks, but consistent with its standard disclosure policy, the company has withheld specific details about the attack campaigns, targets, and threat actors involved to prevent additional exploitation while the patch rolls out.

Real-World Impact

Both vulnerabilities require only that a victim visit a malicious or compromised webpage — no file download, no plugin, no additional step. This makes them viable as drive-by exploitation tools, where attackers compromise legitimate websites or run malicious advertising and direct victims toward pages delivering the exploit silently in the background. The broader context makes this update particularly urgent: Chrome is the world's most widely used browser, running on an estimated 3.4 billion devices. A zero-day in Chrome's rendering engine or JavaScript runtime represents one of the highest-leverage attack surfaces available to threat actors at any given time. In 2025, Google patched a total of eight actively exploited Chrome zero-days. Three have already been confirmed exploited in the wild in the first ten weeks of 2026, suggesting continued aggressive targeting of the browser by sophisticated actors.

Technical Details

Skia (CVE-2026-3909) is the graphics engine underlying Chrome's rendering pipeline — it handles drawing everything you see in the browser from fonts and images to the browser UI itself. An out-of-bounds write in this component means a crafted HTML page can trigger the browser to write memory outside its allocated buffer, creating a condition that attackers can chain into code execution. V8 (CVE-2026-3910) is the JavaScript runtime engine shared across Chrome and Node.js. Its complexity and constant exposure to third-party JavaScript makes it one of the most scrutinised components in browser security. The inappropriate implementation classification covers a broad class of logic errors where a feature is built in a way that violates intended security constraints — in V8's case, such bugs frequently allow code executing inside the sandbox to escape or to corrupt memory during script evaluation. Google reported both vulnerabilities through its internal security teams on March 10 and had patches in the Stable channel by March 12 — a 48-hour turnaround that reflects the confirmed exploitation status. As of publication, no technical indicators of compromise or threat actor attribution have been made public.

🛡️ Prevention Tips

The most effective mitigation is keeping Chrome updated — this sounds obvious but the gradual rollout means many users will remain on vulnerable versions for days after a patch ships. Enable automatic updates and restart Chrome regularly. For enterprise environments, prioritise browser updates with the same urgency as OS patches when zero-days are confirmed exploited in the wild. Consider deploying browser isolation technology for high-risk users such as finance, legal, and executive teams who are more likely to be targeted with zero-day exploits delivered via spearphishing links. Be cautious with links received via email, social media, or messaging platforms that direct you to unfamiliar websites — drive-by exploitation via zero-days often begins with a social engineering lure designed to get victims to click a specific URL.

FAQs

Do I need to do anything if Chrome updates automatically?

Chrome applies updates automatically but only when the browser is fully restarted. If you leave Chrome running for days without closing it, you may be on an outdated version even if the update has downloaded. Go to Help → About Chrome to confirm your version number and relaunch if prompted.

Does this affect Edge, Brave, or other Chromium-based browsers?

Yes. CVE-2026-3909 and CVE-2026-3910 affect the Chromium engine that underpins all Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi. Each vendor must independently integrate the upstream fix and push their own update. Check each browser's update settings and install any available updates now.

Read Next

botnet · socksescort

Operation Lightning: Authorities Dismantle SocksEscort Proxy Botnet That Hijacked 369,000 Home Routers Across 163 Countries

chrome · cve 2026 0628

"Glic Jack" — Chrome Vulnerability Let Malicious Extensions Hijack Gemini Panel and Access Your Camera, Files, and Mic

adobe acrobat · adobe reader

CVE-2026-34621: Adobe Releases Emergency Patch for Actively Exploited Acrobat Reader Flaw — Update Now

microsoft · patch tuesday

Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes

adobe reader · zero day

Adobe Reader Zero-Day Actively Exploited via Fake Invoice PDFs — No Patch Available Yet

#chrome#zero-day#cve-2026-3909#cve-2026-3910#skia#v8#google#browser-security#out-of-bounds-write#javascript-engine#remote-code-execution#actively-exploited#patch-now

Last updated: March 13, 2026

← Back to all threatsAbout CyberTimes