Google Patches Two Actively Exploited Chrome Zero-Days in Emergency Update
Google has released an out-of-band security update for Chrome to address two high-severity zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910 currently being exploited in the wild. The patches are available for Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75) as of Thursday.
The first flaw, CVE-2026-3909, is an out-of-bounds write vulnerability in Skia, Chrome’s open-source 2D graphics engine. Such flaws can enable attackers to crash the browser or execute arbitrary code. The second, CVE-2026-3910, involves an inappropriate implementation in V8, Chrome’s JavaScript and WebAssembly engine. Google has withheld technical details for both vulnerabilities while the update rolls out.
Chrome typically updates automatically, but users can force the patch by navigating to Settings > Help > About Google Chrome, triggering an immediate check and installation. A browser relaunch is required to complete the update. Google notes that the rollout may take days or weeks to reach all users.
These are the second and third actively exploited Chrome zero-days patched in 2026, following CVE-2026-2441, a CSS-related flaw fixed in February. In 2025, Google addressed eight actively exploited Chrome zero-days. No details about the current attacks have been disclosed, and bug specifics will remain restricted until most users are protected.
Google Chrome cybersecurity rating report: https://www.rankiteo.com/company/google-chrome
"id": "GOO1773664366",
"linkid": "google-chrome",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All Chrome users',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Chrome',
'type': 'Software'}],
'attack_vector': 'Browser Exploitation',
'customer_advisories': 'Users advised to update Chrome via Settings > Help > '
'About Google Chrome and relaunch the browser.',
'description': 'Google has released an out-of-band security update for Chrome '
'to address two high-severity zero-day vulnerabilities '
'CVE-2026-3909 and CVE-2026-3910 currently being exploited in '
'the wild. The patches are available for Windows, macOS, and '
'Linux. The first flaw, CVE-2026-3909, is an out-of-bounds '
'write vulnerability in Skia, Chrome’s open-source 2D graphics '
'engine. The second, CVE-2026-3910, involves an inappropriate '
'implementation in V8, Chrome’s JavaScript and WebAssembly '
'engine. Google has withheld technical details for both '
'vulnerabilities while the update rolls out.',
'impact': {'operational_impact': 'Potential arbitrary code execution or '
'browser crashes',
'systems_affected': 'Chrome Browser (Windows, macOS, Linux)'},
'investigation_status': 'Ongoing (technical details withheld)',
'recommendations': 'Users should immediately update Chrome to the latest '
'version to mitigate risks.',
'references': [{'source': 'Google Security Blog'}],
'response': {'communication_strategy': 'Public disclosure of vulnerabilities '
'with limited technical details',
'containment_measures': 'Emergency security update released',
'recovery_measures': 'Users advised to update Chrome via '
'Settings > Help > About Google Chrome',
'remediation_measures': 'Patching vulnerabilities CVE-2026-3909 '
'and CVE-2026-3910'},
'title': 'Google Patches Two Actively Exploited Chrome Zero-Days in Emergency '
'Update',
'type': 'Zero-Day Vulnerability Exploitation',
'vulnerability_exploited': ['CVE-2026-3909', 'CVE-2026-3910']}