Google Releases Emergency Chrome Update to Patch Actively Exploited Vulnerabilities CVE-2026-3909 and CVE-2026-3910

CyberDefender 9 mins0

Google has released emergency security patches to address two high-severity vulnerabilities affecting the Chrome web browser. These issues are tracked as CVE-2026-3909 and CVE-2026-3910, each carrying a CVSS score of 8.8.

According to Google’s advisory, both vulnerabilities are already being actively exploited in real-world attacks. This significantly increases the risk to users who have not yet applied the latest browser update.

The vulnerabilities allow remote attackers to exploit weaknesses in Chrome components simply by convincing a user to open a maliciously crafted HTML page. Successful exploitation could lead to memory corruption or execution of malicious code within the browser environment.

Google discovered the flaws internally on March 10, 2026, but the company has not publicly shared technical details about the ongoing attacks or the threat actors responsible. Limiting such details is a common defensive practice to reduce the chances of further exploitation before users update their systems.

Vulnerability Overview

CVE-2026-3909 – Skia Out-of-Bounds Write

  • CVSS Score: 8.8 (High)
  • Affected Component: Skia 2D Graphics Library

This vulnerability originates from an out-of-bounds write condition within Skia, the graphics library responsible for rendering visual elements and web content in Chrome.

An attacker can craft a specially designed webpage that triggers this flaw. If a user visits the page, the browser may perform an invalid memory operation, which can lead to memory corruption. In certain scenarios, this condition could be leveraged to execute malicious code within the browser process.

Skia is widely used not only in Chrome but also in several other software products, making vulnerabilities in this component particularly important from a security perspective.

CVE-2026-3910 – V8 Engine Implementation Flaw

  • CVSS Score: 8.8 (High)
  • Affected Component: V8 JavaScript / WebAssembly Engine

The second vulnerability involves an incorrect implementation in Chrome’s V8 engine, the component responsible for executing JavaScript and WebAssembly code.

A specially crafted HTML page can exploit this flaw to run arbitrary code inside the browser’s sandbox environment. Because the V8 engine processes dynamic web content, it has historically been a frequent target for attackers seeking browser-based exploitation.

Although the sandbox environment restricts direct system access, vulnerabilities in V8 can sometimes be combined with other bugs to escape the sandbox and compromise the host system.

Exploitation in the Wild

Google confirmed that working exploits exist in real-world attacks for both vulnerabilities. However, the company has not disclosed:

  • The specific attack campaigns
  • The threat actors responsible
  • Technical indicators or exploitation methods

Such restrictions are typical when active exploitation is ongoing, as publishing full details could enable additional attackers to replicate the exploits before systems are patched.

Both vulnerabilities have low attack complexity and can be exploited remotely, meaning the victim only needs to visit a malicious webpage.

Affected and Patched Versions

Google has released patched builds in the Chrome Stable channel:

PlatformPatched Version
Windows146.0.7680.75 / 146.0.7680.76
macOS146.0.7680.75 / 146.0.7680.76
Linux146.0.7680.75

The updates are being distributed gradually and may take several days or weeks to reach all users.

Systems running Chrome version 146.0.7680.75 or newer are protected from these vulnerabilities.

Related Chrome Zero-Day (Earlier 2026)

Earlier in February 2026, Google addressed another actively exploited Chrome vulnerability:

  • CVE-2026-2441 (CVSS 8.8)
  • Vulnerability Type: Use-after-free bug
  • Affected Component: CSS handling within Chrome

This vulnerability allowed attackers to exploit memory management errors in the browser’s CSS component, potentially enabling system compromise.

The issue was discovered and responsibly reported by security researcher Shaheen Fazim on February 11, 2026. Google also confirmed active exploitation but did not disclose operational details about the attacks.

Notably, CVE-2026-2441 was the first Chrome zero-day exploited in 2026, following eight similar vulnerabilities patched during 2025.

Technical Risk Analysis

Chrome components such as Skia and V8 are considered high-value targets for attackers because they process untrusted web content directly from the internet.

Key security risks include:

  • Memory corruption vulnerabilities, such as out-of-bounds writes, which can enable code execution.
  • Implementation flaws in scripting engines, often used in exploit chains.
  • The possibility of combining multiple vulnerabilities to escape the browser sandbox and compromise the operating system.

Threat actors involved in advanced persistent threats (APT) or commercial spyware campaigns frequently chain browser vulnerabilities to achieve full system compromise.

Mitigation and Defensive Measures

Immediate Action

Users and organizations should update Chrome immediately to the latest stable version.

Manual Update Steps

  1. Open the Chrome menu (three-dot icon).
  2. Navigate to Settings → About Chrome.
  3. Chrome will automatically check for updates and begin downloading if available.
  4. Restart the browser to apply the update.

Additional Security Best Practices

To reduce exposure to browser-based threats:

  • Avoid clicking suspicious links received via email, messaging platforms, or social media.
  • Enable automatic updates to ensure timely patch deployment.
  • Restart browsers regularly, as some updates only activate after a restart.
  • Use a reputable real-time anti-malware solution with web protection capabilities.

Users of Chromium-based browsers (such as Edge, Brave, or others) should also monitor for similar security updates, as these browsers share the same underlying codebase.

Conclusion

The discovery of CVE-2026-3909 and CVE-2026-3910 highlights the ongoing risk posed by browser vulnerabilities, particularly those affecting components that process web content.

Because both flaws are actively exploited and easy to trigger through malicious webpages, organizations and individuals should treat this update as a high-priority patch. Rapid patch management, combined with cautious browsing behavior and layered security controls, remains critical for mitigating browser-based threats.

CyberDefender