Google has issued urgent security updates for its Chrome browser to remediate two high-severity zero-day vulnerabilities that have been confirmed as actively exploited in real-world attacks. The flaws, tracked as CVE-2026-3909 and CVE-2026-3910, were discovered and reported by Google's internal security teams on March 10, 2026. In line with standard protocol for such actively exploited issues, Google has withheld technical details regarding the exploitation methods and the threat actors involved. This controlled disclosure strategy is critical to prevent widespread adoption of the exploit by other malicious groups while a majority of users update their browsers, thereby containing the immediate threat.
The vulnerabilities reside within the Skia graphics library and the V8 JavaScript engine, two core components of the Chrome browser. Exploitation of such flaws, particularly in the V8 engine, can often lead to arbitrary code execution, allowing attackers to compromise a user's system simply by enticing them to visit a malicious website. This marks the second time in less than a month that Google has rushed out fixes for an in-the-wild Chrome zero-day, following the recent patch for CVE-2026-2441, a high-severity use-after-free bug in the CSS component. In total, Google has addressed three weaponized zero-days in Chrome since the beginning of the year, highlighting a concerning trend of focused attacks against the world's most popular browser.
To ensure protection, all users must immediately update their Chrome browser to the latest patched versions: 146.0.7680.75 or 146.0.7680.76 for Windows and macOS, and version 146.0.7680.75 for Linux. The update process can be initiated by navigating to the browser's menu (More > Help > About Google Chrome), which will trigger an automatic check and prompt for a relaunch. It is imperative that users do not delay this action, as the existence of public exploits significantly raises the risk of drive-by download attacks and targeted compromises.
The impact of these patches extends beyond Chrome itself. Other browsers built on the Chromium open-source project, including Microsoft Edge, Brave, Opera, and Vivaldi, are inherently affected by the same vulnerabilities in the Skia and V8 components. Users of these browsers must vigilantly apply updates as soon as they are released by their respective vendors. This incident serves as a stark reminder of the persistent and evolving threat landscape, where even the most secure software requires constant vigilance and prompt patching to defend against sophisticated adversaries leveraging undisclosed vulnerabilities.
