Google Patches Actively Exploited Chrome Zero-Day Flaws
▼ Summary
– Google has released emergency updates to patch two high-severity Chrome zero-day vulnerabilities (CVE-2026-3909 & CVE-2026-3910) that are being actively exploited.
– The first flaw is an out-of-bounds write in the Skia graphics library, while the second is an inappropriate implementation in the V8 JavaScript engine.
– Updates are rolling out for Windows, macOS, and Linux, but Google notes the patch may take days or weeks to reach all users automatically.
– These are the second and third Chrome zero-days patched in 2026, following one fixed in February, after Google addressed eight such flaws in the previous year.
– Google also disclosed it paid over $17 million to security researchers in 2025 through its Vulnerability Reward Program.
Google has issued urgent security patches to address two critical vulnerabilities in its Chrome browser that are already being actively exploited by attackers. These emergency updates, released outside the normal schedule, are designed to protect users from potential attacks that leverage these flaws before they can be widely patched. Users are strongly advised to update their Chrome browsers immediately to the latest version to ensure their systems are protected.
The company confirmed it is aware of active exploits in the wild for both security issues, identified as CVE-2026-3909 and CVE-2026-3910. The first flaw, CVE-2026-3909, is an out-of-bounds write weakness within Skia. Skia is the open-source graphics library Chrome uses to render web pages and interface elements. This type of vulnerability can allow attackers to cause the browser to crash or, more dangerously, execute malicious code on a user’s system.
The second patched vulnerability, CVE-2026-3910, is categorized as an inappropriate implementation in the V8 engine. V8 is Chrome’s core component for processing JavaScript and WebAssembly code, making it a high-value target for attackers seeking to compromise browser security.
Google’s security team discovered both flaws and moved rapidly to develop and deploy fixes. Updated versions for the Stable Desktop channel were released within two days of the initial report. The patched builds are version 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS. While the rollout is progressive and may take some time to reach every user globally, the update was available for manual checking upon release.
To stay protected, users can manually check for updates by navigating to Chrome’s Help menu and selecting “About Google Chrome.” The browser will then search for and install any available updates. Alternatively, enabling automatic updates ensures the latest security patches are applied as soon as they are released, typically upon the next browser restart.
Google has withheld specific technical details about the vulnerabilities and the ongoing attacks. The company’s standard policy is to limit public information until most users have had the opportunity to install the fix. This cautious approach helps prevent other malicious actors from reverse-engineering the patches to create their own exploits before widespread adoption.
These two flaws represent the second and third zero-day vulnerabilities Chrome has addressed this year that were under active attack. The first, patched in February, was tracked as CVE-2026-2441, an iterator invalidation issue in the browser’s CSS font handling. In the previous year, Google resolved a total of eight such in-the-wild zero-days, many uncovered by its internal Threat Analysis Group, which specializes in tracking sophisticated spyware campaigns.
In related news, Google also disclosed its continued investment in external security research. The company paid out more than $17 million in rewards through its Vulnerability Reward Program in 2025, compensating 747 researchers for responsibly reporting security weaknesses. This program is a key component of Google’s strategy to identify and fix vulnerabilities before they can be exploited maliciously.
(Source: Bleeping Computer)
