Google has released urgent security updates for Chrome to fix two high-severity zero-day vulnerabilities affecting the Skia graphics library and V8 JavaScript engine that are being actively exploited by attackers.
Google has issued emergency security updates for its Chrome web browser to address two high-severity vulnerabilities that are being actively exploited in the wild. The company released patches for CVE-2026-3909 and CVE-2026-3910, both receiving CVSS scores of 8.8 out of 10, indicating their critical nature.
Critical Vulnerabilities in Chrome's Core Components
The first vulnerability, CVE-2026-3909, affects the Skia 2D graphics library, a fundamental component that handles rendering in Chrome. This out-of-bounds write vulnerability could allow remote attackers to perform out-of-bounds memory access through a specially crafted HTML page. The second vulnerability, CVE-2026-3910, resides in the V8 JavaScript and WebAssembly engine, where an inappropriate implementation flaw could enable arbitrary code execution within a sandbox environment via a crafted HTML page.
Both vulnerabilities were discovered and reported by Google's own security team on March 10, 2026. The company confirmed that exploits for both issues are currently being used in the wild, though specific details about the attacks and the threat actors behind them remain undisclosed. This information blackout is a standard practice designed to prevent other malicious actors from weaponizing the same vulnerabilities.
Update Immediately to Protect Your Browser
Users are strongly advised to update their Chrome browsers immediately to the latest versions: 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux. To verify your browser is up to date, navigate to More > Help > About Google Chrome and select Relaunch if prompted.
This marks the third actively exploited Chrome zero-day that Google has patched in 2025 alone. Just last month, the company addressed CVE-2026-2441, a high-severity use-after-free bug in Chrome's CSS component that was also being exploited as a zero-day. The frequency of these attacks underscores the ongoing arms race between browser developers and sophisticated threat actors.
Broader Impact on the Chromium Ecosystem
Users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also be vigilant. While Google has released the patches, these browsers may require additional time to integrate the fixes into their specific builds. Browser vendors typically release updates within days of Google's security bulletins, but users should check for updates manually if automatic updates are disabled.
The exploitation of zero-days in widely used browsers like Chrome represents a significant threat to both individual users and organizations. These vulnerabilities can be used for everything from surveillance and data theft to deploying malware and ransomware. The fact that both the Skia library and V8 engine were targeted suggests attackers are focusing on Chrome's core rendering and execution components, which provide deep access to system resources.
For organizations with large-scale Chrome deployments, IT administrators should prioritize these updates and consider implementing additional monitoring for any unusual browser behavior. The combination of graphics library and JavaScript engine vulnerabilities also highlights the complexity of modern web browsers and the challenge of securing such multifaceted software platforms.
As cyber threats continue to evolve, maintaining up-to-date software remains one of the most effective defenses against known vulnerabilities. Chrome's auto-update feature is designed to handle these critical patches automatically, but manual verification ensures no devices are left exposed during active exploitation campaigns.
Comments
Please log in or register to join the discussion