Google on Thursday pushed out security updates for Chrome addressing two zero-day vulnerabilities, both rated 8.8 out of 10 on the CVSS severity scale, that the company confirmed are being exploited in real-world attacks.
The first flaw, CVE-2026-3909, is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses for rendering. It allows a remote attacker to access memory outside its intended boundaries through a specially crafted HTML page. The second, CVE-2026-3910, is an inappropriate implementation bug in V8, Chrome’s JavaScript and WebAssembly engine, that could allow an attacker to execute arbitrary code within the browser’s sandbox, again via a malicious webpage.
Both vulnerabilities were discovered internally by Google on March 10 and patched two days later. As is standard practice, Google has withheld technical details about how the flaws are being exploited and by whom, in order to limit the window for other threat actors to take advantage before users update.
This brings Google’s total count of actively exploited Chrome zero-days in 2026 to three. Less than a month ago, the company patched CVE-2026-2441, a high-severity use-after-free bug in Chrome’s CSS component that had also been weaponised in the wild.
Users should update Chrome to version 146.0.7680.75/76 on Windows and macOS, or 146.0.7680.75 on Linux. The update can be triggered by navigating to More > Help > About Google Chrome. Users of other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply patches as they become available
