Security & Infrastructure Tools
Google fixes two new Chrome zero‑days exploited in attacks
Google released emergency updates for Chrome, patching two high‑severity zero‑day vulnerabilities (CVE‑2026‑3909 and CVE‑2026‑3910) that were actively exploited in attacks. The first flaw involves an out‑of‑bounds write in the Skia graphics library, allowing attackers to crash or execute code; the second is an inappropriate implementation issue in the V8 JavaScript/WebAssembly engine. Google identified both issues within two days of reporting and rolled out fixes to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75). The updates are immediately available, but users may need a few weeks for the out‑of‑band update to reach all systems. This is the second and third actively exploited Chrome zero‑day patched in 2026, following CVE‑2026‑2441 addressed earlier in February.
Google’s latest emergency patch rollout has closed two critical Chrome vulnerabilities that were already being exploited in the wild. The updates, released for the Stable Desktop channel on Thursday, address CVE‑2026‑3909 and CVE‑2026‑3910—both high‑severity zero‑day flaws identified by Google’s Threat Analysis Group (TAG).
The first flaw, CVE‑2026‑3909, stems from an out‑of‑bounds write in Skia, the open‑source 2D graphics engine that Chrome uses to render web content and UI elements. Attackers can exploit this weakness to crash the browser or even gain arbitrary code execution. The second vulnerability, CVE‑2026‑3910, involves an inappropriate implementation in the V8 JavaScript and WebAssembly engines, potentially allowing attackers to manipulate memory and run malicious code.
Google discovered both issues and applied patches within just two days of reporting. New versions—Windows 146.0.7680.75, macOS 146.0.7680.76, and Linux 146.0.7680.75—are now available for download. While the update may take some time to propagate across all user systems, it was immediately visible in BleepingComputer’s automated checks earlier today.
If you prefer not to manually install updates, Chrome can be configured to check for new releases automatically and apply them at the next launch. This ensures that your browser remains protected against these emerging threats without any manual intervention.
Google has cautioned that detailed information about the exploitation incidents will remain restricted until a majority of users have applied the fix. They also noted that if the vulnerability exists in third‑party libraries used by other projects, those dependencies may still need to be addressed before full remediation is possible.
These patches represent the second and third actively exploited Chrome zero‑days fixed since 2026 began. The first was CVE‑2026‑2441, an iterator invalidation bug in CSSFontFeatureValuesMap, resolved in mid‑February. Last year, Google patched eight such vulnerabilities, many of which were reported by TAG researchers.
In a related note, Google announced that it paid over $17 million to 747 security researchers through its Vulnerability Reward Program (VRP) in 2025—a testament to the company’s commitment to rapid vulnerability discovery and remediation.