%20(1)%20(1).webp)
Google has rushed out an emergency security update for Chrome browser users after discovering two critical zero-day vulnerabilities currently under active exploitation by cybercriminals.
The tech giant confirmed that both flaws, designated CVE-2026-3909 and CVE-2026-3910, pose high-severity risks and could enable attackers to execute malicious code on compromised systems. The security patches are included in Chrome Stable Channel version 146.0.7680.75/76 for Windows and macOS, and version 146.0.7680.75 for Linux.
Google's internal security team identified both vulnerabilities and reported them on March 10, 2026, according to the company's security advisory. The update deployment is proceeding in phases over the coming days and weeks.
The first vulnerability, CVE-2026-3909, represents an out-of-bounds write flaw within Skia, Chrome's graphics rendering engine responsible for processing images and visual content. This type of memory corruption bug occurs when programs write data beyond allocated memory boundaries, potentially allowing threat actors to manipulate memory structures and achieve arbitrary code execution within the browser environment.
Meanwhile, CVE-2026-3910 stems from an inappropriate implementation issue affecting V8, Chrome's high-performance JavaScript processing engine. Since V8 handles JavaScript execution within the browser, vulnerabilities in this critical component are particularly concerning as they can be triggered through malicious web content.
Successful exploitation of the V8 flaw could permit attackers to manipulate browser processes, potentially leading to remote code execution or broader system compromise.
Google has acknowledged that threat actors are already leveraging both vulnerabilities in real-world attack scenarios. However, the company is maintaining strict information controls regarding specific exploitation methods, involved threat groups, or targeted attack campaigns.
This deliberate disclosure limitation reflects Google's standard security practice of restricting technical vulnerability details until the majority of users have applied security updates. This approach aims to prevent malicious actors from using disclosed information to develop new exploitation techniques.
Zero-day vulnerabilities present heightened security risks because they are exploited before patches become widely available to users. Cybercriminals frequently deploy these unknown flaws in targeted operations against high-value targets, including enterprises, government agencies, journalists, and other sensitive organizations.
The discovery highlights the ongoing cat-and-mouse game between security researchers and cybercriminals in the browser security landscape. Chrome users should prioritize installing the latest security update immediately to protect against these active threats.
Google recommends that users verify their Chrome installation has automatically updated to the latest version by checking the browser's "About Chrome" section. Organizations should also ensure their managed Chrome deployments receive these critical security patches as quickly as possible.
Security experts will be closely monitoring for additional details about these exploitation campaigns as Google gradually releases more information following widespread patch adoption.