Google just dropped an urgent out-of-band security update for Chrome after confirming that hackers are actively exploiting two dangerous zero-day vulnerabilities. With over 3.5 billion Chrome users worldwide1, this is not a drill. If you have not updated your browser yet, now is the time.
What Are the Two Chrome Zero-Day Vulnerabilities?
Tracked as CVE-2026-3909 and CVE-2026-3910, both vulnerabilities have been assigned a high severity rating with a CVSS score of 8.8.2
The first zero-day, CVE-2026-3909, stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution.3
CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.4
In simple terms, a hacker could take control of parts of your browser just by getting you to visit a bad website. Both bugs can be exploited remotely and require only that a user visit a malicious website. Because the attack complexity is low, the vulnerabilities pose a higher real-world risk.5
Google Skia contains an out-of-bounds write vulnerability that affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.6 That means the impact goes well beyond just the desktop browser.
Google Chrome emergency security update fixing two zero-day vulnerabilities
How Are Attackers Using These Flaws?
Google has been tight-lipped about the specifics. Google says it is aware that exploits for both vulnerabilities are in the wild, though it has not shared details on how the bugs are being used or who might be behind the attacks. That silence is fairly typical when zero-days are involved.7
However, security experts say these types of browser flaws are commonly used in:
- Watering hole attacks where hackers compromise legitimate websites to target specific visitors
- Malvertising campaigns that use ad networks to deliver exploit payloads
- Spear-phishing emails with links to malicious web pages
- Exploit chains that pair one vulnerability with another for deeper system access
Exploitation of CVE-2026-3909 observed in the wild involves a highly sophisticated exploit chain, pairing this Skia vulnerability with CVE-2026-3910, a separate zero-day flaw located in the V8 JavaScript engine.8
This means the two flaws are being used together to break through Chrome’s security layers. Chrome’s Skia and V8 components are prime targets because they sit directly on the path between untrusted web content and the underlying system. It is possible to chain an out-of-bounds write in Skia with other bugs to break out of the renderer sandbox.5
The V8 engine has historically been a primary target for zero-day exploitation. The complexity of JIT optimization provides a large attack surface where subtle implementation errors can lead to exploitable conditions. Current data from underground forum intelligence suggests that V8 exploits remain high-demand items among sophisticated threat actors.9
CISA Adds Both Flaws to Known Exploited List
The U.S. government is treating this seriously. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on March 13, 2026, added both the Google Chrome vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 27, 2026.4
Key details at a glance:
| Detail | Info |
|---|---|
| CVE IDs | CVE-2026-3909 and CVE-2026-3910 |
| Severity | High (CVSS 8.8) |
| Affected Components | Skia Graphics Library and V8 JavaScript Engine |
| Discovery Date | March 10, 2026 |
| Patch Released | March 12, 2026 |
| CISA KEV Deadline | March 27, 2026 |
| Affected Browsers | Chrome, Edge, Brave, Opera, Vivaldi and all Chromium-based browsers |
Users of all Chromium-based browsers, including Microsoft Edge, Brave, and Vivaldi, are also advised to update their software as soon as patches become available.10 This is not just a Chrome problem.
How to Update Chrome Right Now
The easiest way to stay up to date is to allow Chrome to update automatically. However, updates can lag if you rarely close your browser, or if something interferes with the update process.5
Here is how to manually trigger the update:
- Open Google Chrome
- Click the three-dot menu in the top-right corner
- Go to Settings > Help > About Google Chrome
- Chrome will check for and install the update
- Click Relaunch to apply the fix
Users should update immediately to 146.0.7680.75/76 (Windows/Mac) or 146.0.7680.75 (Linux) and ensure Chrome is relaunched so the patched build is active.11
The patch is not active until the browser is relaunched. Inform employees about the importance of restarting their browsers to apply updates. The patch is not active until the browser is relaunched.9
Organizations managing Chrome deployments through enterprise policies should prioritize pushing version 146.0.7680.75/76 across their environment without delay. Given the active exploitation status of both flaws, waiting for the automatic rollout is not advisable for high-risk environments.12
Chrome’s Growing Zero-Day Problem in 2026
These are the second and third actively exploited Chrome zero-days patched since the start of 2026. The first, tracked as CVE-2026-2441 and described as an iterator invalidation bug in CSSFontFeatureValuesMap, was addressed in mid-February.3
Three zero-days in less than three months is an alarming pace.
Last year, Google fixed a total of eight zero-days exploited in the wild, many of which were reported by Google’s Threat Analysis Group (TAG), a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks.3 At the current rate, 2026 could easily surpass that number.
On a brighter note, Google paid over $17 million to 747 security researchers who reported security bugs through its Vulnerability Reward Program (VRP) in 2025. The company says it has awarded over $81.6 million in bug bounties since the first Vulnerability Reward Program went live in 2010.13 Rewards of $250,000 were handed out to researchers who demonstrated full-chain sandbox escape attacks in Chrome.14
That investment in bug hunters is clearly paying off. Both vulnerabilities were discovered and reported by Google itself on March 10, 2026.2 The patches followed just two days later, showing how fast the company can move when the threat is real.
The speed of these zero-day discoveries in 2026 is a wake-up call for every Chrome user, every IT team, and every business that depends on a web browser to get work done. Updating your browser takes less than a minute, but ignoring it could cost you everything from personal data to corporate secrets. Don’t wait for the automatic update. Do it now. If this story made you think twice about browser security, drop your thoughts in the comments below.
