Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks.
“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild,” Google said in a security advisory published on Thursday.
The first zero-day (CVE-2026-3909) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution.
The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today.
If you don’t want to update your web browser manually, you can also have it check for updates automatically and install them at the next launch.
Although Google found evidence that attackers are exploiting this zero-day flaw in the wild, the company didn’t share further details regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” it noted.
These are the second and third actively exploited Chrome zero-days patched since the start of 2026. The first, tracked as CVE-2026-2441 and described as an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome’s implementation of CSS font feature values), was addressed in mid-February.
Last year, Google fixed a total of eight zero-days exploited in the wild, many of which were reported by Google’s Threat Analysis Group (TAG), a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks.
On Thursday, Google also revealed that it has paid over $17 million to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
