Google Chrome security update fixes two actively exploited zero-day vulnerabilities

Google has issued an emergency update for its Chrome web browser to address two high-severity zero-day vulnerabilities that have been actively exploited in the wild. The vulnerabilities, identified as CVE-2026-3909 and CVE-2026-3910, were discovered by Google on March 10, 2026, and patches were swiftly rolled out on March 13, 2026 [1, 3, 4]. The company is aware that exploits for both vulnerabilities currently exist, posing an immediate threat to users [1, 3, 4]. CVE-2026-3909 is an out-of-bounds write vulnerability within Skia, Google's open-source 2D graphics library. This flaw can be exploited through a crafted HTML page to corrupt memory, potentially leading to browser crashes or arbitrary code execution [1, 3, 4]. The second vulnerability, CVE-2026-3910, is an inappropriate implementation in the V8 JavaScript and WebAssembly engine. Attackers can leverage this vulnerability to execute arbitrary code within the browser's sandbox by creating malicious HTML pages [1, 3, 4]. These vulnerabilities affect Chrome on Windows, macOS, and Linux operating systems. Google has released updated versions, including 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS. Chrome for Android has also received an update, version 146.0.76380.115 [1, 3]. While Google is rapidly deploying these patches, it acknowledges that the update may take days or weeks to reach all users. Therefore, users are strongly advised to manually check for updates and restart their browsers to ensure they are protected [1]. This incident marks the second and third actively exploited Chrome zero-days patched by Google in 2026, following the patching of CVE-2026-2441, a use-after-free bug in the CSS component, in mid-February [1, 5, 12, 15]. In 2025, Google patched a total of eight zero-day vulnerabilities in Chrome that were exploited in the wild [1, 9]. The increasing frequency of such exploits underscores the persistent threat posed by browser vulnerabilities, as they are a primary vector for attacks due to their widespread use and the constant handling of untrusted web content [5, 15]. Google typically restricts access to detailed information about newly patched vulnerabilities until a majority of users have applied the updates, a measure designed to prevent further exploitation [1, 4, 16]. While details about the specific actors or targets involved in exploiting these recent Chrome vulnerabilities have not been disclosed, Google's Threat Analysis Group (TAG) has previously reported that such bugs are often targeted by commercial spyware vendors [3]. For users in India and globally, it is crucial to maintain up-to-date software. Beyond immediate browser updates, best practices include being cautious about clicking on unsolicited links in emails or messages and enabling automatic updates for all software. Regularly restarting devices can also ensure that updates are properly applied and active [2]. The CVSS scores for both CVE-2026-3909 and CVE-2026-3910 are 8.8, indicating a high severity [3]. This situation is a reminder of the ongoing cybersecurity challenges faced by users worldwide. As the digital landscape evolves, staying vigilant and proactive with security measures is paramount. The prompt release of patches by Google demonstrates their commitment to user security, but the responsibility also lies with users to apply these crucial updates promptly.

Frequently Asked Questions

Read Full Story on Quick Digest