Security & Infrastructure Tools

Google fixes two new Chrome zero‑days exploited in attacks

Google released emergency updates for Chrome, patching two high‑severity zero‑day vulnerabilities (CVE‑2026‑3909 and CVE‑2026‑3910) that were actively exploited in attacks. The first flaw involves an out‑of‑bounds write in the Skia graphics library, allowing attackers to crash or execute code; the second is an inappropriate implementation issue in the V8 JavaScript/WebAssembly engine. Google identified both issues within two days of reporting and rolled out fixes to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75). The updates are immediately available, but users may need a few weeks for the out‑of‑band update to reach all systems. This is the second and third actively exploited Chrome zero‑day patched in 2026, following CVE‑2026‑2441 addressed earlier in February.

TechLogHub

March 13, 2026

Keep Reading

Security & Infrastructure ToolsJun 12, 2026

Ukrainian national pleads guilty to role in Conti ransomware operation

A Ukrainian national extradited from Ireland to the United States pleaded guilty to conspiracy to commit wire fraud in connection with the Conti ransomware operation, admitting to joining the group in September 2021 and possessing data stolen from eight U.S. victims and four overseas victims. He helped code a loader used in attacks and faces up to 20 years in prison. Conti, linked to TrickBot, targeted more than 1,000 victims and collected over $150 million in ransom before disbanding in 2022.

Security & Infrastructure ToolsJun 12, 2026

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

View all

Security & Infrastructure Tools

Microsoft Adds Copilot Data Controls to All Storage Locations

Microsoft is expanding its data‑loss prevention controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel and PowerPoint documents regardless of where they are stored—whether on local devices or in SharePoint/OneDrive. The update will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026, automatically enabling the restriction for organizations that already have DLP policies set to block Copilot from handling sensitivity‑labeled content. This change follows a bug that had allowed Copilot to summarize confidential emails in users’ Sent Items and Drafts folders despite active DLP protections.

Feb 25, 2026

Security & Infrastructure Tools

Previously harmless Google API keys now expose Gemini AI data

Stay Updated

Get the next deep dive in your inbox

Subscribe for product analysis, engineering explainers, and practical guides published on TechLogHub.

Stay Updated

Get weekly insights, product updates, and launches straight to your inbox.

Google’s latest emergency patch rollout has closed two critical Chrome vulnerabilities that were already being exploited in the wild. The updates, released for the Stable Desktop channel on Thursday, address CVE‑2026‑3909 and CVE‑2026‑3910—both high‑severity zero‑day flaws identified by Google’s Threat Analysis Group (TAG).

The first flaw, CVE‑2026‑3909, stems from an out‑of‑bounds write in Skia, the open‑source 2D graphics engine that Chrome uses to render web content and UI elements. Attackers can exploit this weakness to crash the browser or even gain arbitrary code execution. The second vulnerability, CVE‑2026‑3910, involves an inappropriate implementation in the V8 JavaScript and WebAssembly engines, potentially allowing attackers to manipulate memory and run malicious code.

Google discovered both issues and applied patches within just two days of reporting. New versions—Windows 146.0.7680.75, macOS 146.0.7680.76, and Linux 146.0.7680.75—are now available for download. While the update may take some time to propagate across all user systems, it was immediately visible in BleepingComputer’s automated checks earlier today.

If you prefer not to manually install updates, Chrome can be configured to check for new releases automatically and apply them at the next launch. This ensures that your browser remains protected against these emerging threats without any manual intervention.

Google has cautioned that detailed information about the exploitation incidents will remain restricted until a majority of users have applied the fix. They also noted that if the vulnerability exists in third‑party libraries used by other projects, those dependencies may still need to be addressed before full remediation is possible.

These patches represent the second and third actively exploited Chrome zero‑days fixed since 2026 began. The first was CVE‑2026‑2441, an iterator invalidation bug in CSSFontFeatureValuesMap, resolved in mid‑February. Last year, Google patched eight such vulnerabilities, many of which were reported by TAG researchers.

In a related note, Google announced that it paid over $17 million to 747 security researchers through its Vulnerability Reward Program (VRP) in 2025—a testament to the company’s commitment to rapid vulnerability discovery and remediation.

Google fixes two new Chrome zero‑days exploited in attacks

Related Posts

Ukrainian national pleads guilty to role in Conti ransomware operation

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Get the next deep dive in your inbox

Stay Updated

Early Warning Signs of Supply-Chain Attacks Live in the Dark Web

Microsoft says bug in classic Outlook hides the mouse pointer

Product

Learn

Company

Legal

Stay Updated

Browse by Category

What's New