Google has released an emergency security update for its Chrome web browser to address two high-severity zero-day vulnerabilities that are being actively exploited in attacks. The company confirmed in a security advisory that exploits for both flaws, tracked as CVE-2026-3909 and CVE-2026-3910, already exist in the wild. This marks another critical instance where attackers are leveraging undisclosed vulnerabilities before a patch is widely available, posing a significant risk to users.
The first vulnerability, CVE-2026-3909, is an out-of-bounds write weakness in Skia, the open-source 2D graphics library used by Chrome for rendering web content and UI elements. This type of memory corruption flaw can allow an attacker to crash the browser or, more critically, achieve arbitrary code execution on the target system. The second flaw, CVE-2026-3910, is described as an inappropriate implementation vulnerability within the V8 JavaScript and WebAssembly engine, Chrome's core component for processing web scripts. Such an implementation error could be exploited to bypass security mechanisms or execute malicious code.
Google moved swiftly to develop and deploy patches after discovering the flaws internally. Updates were released for the Stable Desktop channel within two days of reporting. The patched versions are 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS. While Google notes that the out-of-band update may take days or even weeks to propagate fully to all users, manual checks for updates have confirmed immediate availability. Users are strongly advised to restart their browsers to apply the fix.
This incident underscores the persistent threat of zero-day exploits targeting widely used software like web browsers. Users and organizations should ensure automatic updates are enabled or manually update Chrome immediately via the browser's Help > About Google Chrome menu. Proactive patching remains the most effective defense against such in-the-wild exploitation, as these vulnerabilities can be weaponized for data theft, system compromise, or as an initial access vector for more extensive attacks.
