Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two high-severity zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910, that are being exploited in the wild. Advisory reporting says the flaws can enable data manipulation and security restriction bypass, prompting a high-risk assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes.
Technical reporting identifies CVE-2026-3909 as an out-of-bounds write in Skia, Chrome’s graphics library, and CVE-2026-3910 as an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for Windows 146.0.7680.75, macOS 146.0.7680.76, and Linux 146.0.7680.75. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA adds both Chrome flaws to the KEV catalog
CISA updated its Known Exploited Vulnerabilities Catalog to add CVE-2026-3909 and CVE-2026-3910 as known exploited vulnerabilities. The agency set a remediation deadline of 2026-03-27 and directed organizations to apply vendor mitigations or discontinue use if mitigations were unavailable.
Google releases emergency Chrome updates for CVE-2026-3909 and CVE-2026-3910
Google shipped Chrome Stable fixes for Windows, macOS, and Linux to address the two high-severity zero-days, with versions including 146.0.7680.75/76 for Windows and Mac and 146.0.7680.75 for Linux. The company said technical details would be withheld until most users had updated because the vulnerabilities were under active exploitation.
Google discovers two Chrome zero-day vulnerabilities
Google internally discovered CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine. Both flaws were later identified as being actively exploited in the wild.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Google Chrome Multiple Vulnerabilities
hkcert.org
Open sourceCritical Chrome Security Flaws Threaten Billions of Users Worldwide
techrepublic.com
Open sourceGoogle fixed two new actively exploited flaws in the Chrome browser
securityaffairs.com
Open sourceGoogle Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8
thehackernews.com
Open sourceGoogle warns of two actively exploited Chrome zero days | CSO Online
csoonline.com
Open sourceAdd Updated KEV Files for 2026-03-13 · cisagov/kev-data@9c6d0a5 · GitHub
github.com
Open sourceGoogle fixes two new Chrome zero-days exploited in attacks
bleepingcomputer.com
Open sourceGoogle rushes Chrome update to fix zero-days under attack • The Register
go.theregister.com
Open sourceGoogle Chrome Multiple Vulnerabilities
hkcert.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
Mar 21, 2026
Active Exploitation of Undisclosed Chrome Zero-Day Vulnerability
Google has released urgent security updates for the Chrome browser to address a high-severity vulnerability that is being actively exploited in the wild. The flaw, tracked internally as issue 466192044, remains undisclosed in terms of its technical details, affected component, and CVE identifier, as Google is withholding this information to protect users while patches are deployed. Alongside this critical issue, two other medium-severity vulnerabilities—CVE-2025-14372 (use-after-free in Password Manager) and CVE-2025-14373 (inappropriate implementation in Toolbar)—were also fixed. Users of Chrome and other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are strongly advised to update to the latest versions to mitigate risk. Security researchers have identified that the actively exploited vulnerability involves type confusion issues in Chrome’s V8 JavaScript engine, which can allow attackers to manipulate memory and potentially execute arbitrary code simply by luring users to malicious or compromised websites. With Chrome’s vast user base, the exposure is significant, and attackers are known to exploit such flaws before most users have updated. Google and security experts emphasize the importance of promptly applying browser updates and restarting Chrome to ensure protection against these in-the-wild attacks.
Mar 21, 2026
Google Patches Actively Exploited Chrome Zero-Day CVE-2026-2441 in CSS
Google released an out-of-band *Chrome Stable* update to fix **CVE-2026-2441**, a high-severity, actively exploited zero-day caused by a **use-after-free in Chrome’s CSS processing**. The flaw allows a remote attacker to trigger **arbitrary code execution within Chrome’s sandbox** via a crafted HTML page, making drive-by exploitation feasible if a user visits a malicious or compromised site. The issue is scored **CVSS 8.8** and has been characterized as **extremely high risk** due to confirmed in-the-wild exploitation. The patched versions include **Chrome 145.0.7632.75** (and `.76` per platform guidance) for Windows and macOS, and **144.0.7559.75** for Linux; organizations should prioritize rapid browser updates across managed endpoints. Public reporting credits **Shaheen Fazim** with discovering and reporting the vulnerability (reported Feb 11, 2026), while Google has not disclosed exploit details, threat actor attribution, or targeting information beyond confirming that an exploit exists in the wild.
Mar 21, 2026