Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent Chrome stable channel update to address two high-severity zero-day vulnerabilities that the company says are being actively exploited in the wild. The patched versions are 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated.
The two vulnerabilities are CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation in V8. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to arbitrary code execution. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Debian issues Chromium security update
Debian published security advisory DSA-6165-1 for Chromium, indicating downstream remediation for the Chrome vulnerabilities in the Chromium browser package. This reflects broader patch adoption beyond Google Chrome itself.
CISA adds both Chrome flaws to the KEV catalog
CISA added CVE-2026-3909 and CVE-2026-3910 to its Known Exploited Vulnerabilities catalog after Google confirmed active exploitation. The agency also directed Federal Civilian Executive Branch agencies to remediate the issues by March 27, 2026.
Google releases emergency Chrome update for CVE-2026-3909 and CVE-2026-3910
Google shipped a Chrome Stable desktop update to version 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux to fix the two high-severity zero-days. Google said it was restricting technical details because exploits existed in the wild and rollout would continue over the following days and weeks.
Google internally discovers and reports two Chrome zero-days
Google identified and reported CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation issue in V8. The company later said both vulnerabilities were already being exploited in the wild at the time of disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Chrome Under Attack: Google Patches Two Actively Exploited Zero-Day Vulnerabilities (CVE-2026-3909, CVE-2026-3910) - Cyber Security News
cisonode.com
Open sourceActively exploited Google Chrome zero-days receive emergency fixes | brief | SC Media
scworld.com
Open source[SECURITY] [DSA 6165-1] chromium security update
lists.debian.org
Open sourceGoogle Fixes Two Actively Exploited Chrome Zero-Day Flaws - gHacks Tech News
ghacks.net
Open source16th March 2026 Cyber Update: Google Patches Actively Exploited Chrome Zero-Day
cybernewscentre.com
Open sourceChrome Zero-Day Vulnerabilities Actively Exploited in the Wild to Execute Malicious Code
cybersecuritynews.com
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Two Actively Exploited Chrome Zero-Day Vulnerabilities
Google released emergency Chrome updates to fix two **high-severity zero-day vulnerabilities**, `CVE-2026-3909` and `CVE-2026-3910`, that are being **exploited in the wild**. Advisory reporting says the flaws can enable **data manipulation** and **security restriction bypass**, prompting a **high-risk** assessment. Google has not disclosed attack details, indicating access to technical information may remain restricted until more users have installed the fixes. Technical reporting identifies `CVE-2026-3909` as an **out-of-bounds write** in **Skia**, Chrome’s graphics library, and `CVE-2026-3910` as an **inappropriate implementation** issue in the **V8 JavaScript and WebAssembly engine**. Google said both were patched within days of being reported, with fixes rolling out to the Stable Desktop channel for **Windows `146.0.7680.75`**, **macOS `146.0.7680.76`**, and **Linux `146.0.7680.75`**. The company warned that full update deployment may take days or weeks, making prompt browser updates important while exploitation is ongoing.
Apr 2, 2026
Google Patches Actively Exploited Chrome Zero-Day CVE-2026-2441 in CSS
Google released an out-of-band *Chrome Stable* update to fix **CVE-2026-2441**, a high-severity, actively exploited zero-day caused by a **use-after-free in Chrome’s CSS processing**. The flaw allows a remote attacker to trigger **arbitrary code execution within Chrome’s sandbox** via a crafted HTML page, making drive-by exploitation feasible if a user visits a malicious or compromised site. The issue is scored **CVSS 8.8** and has been characterized as **extremely high risk** due to confirmed in-the-wild exploitation. The patched versions include **Chrome 145.0.7632.75** (and `.76` per platform guidance) for Windows and macOS, and **144.0.7559.75** for Linux; organizations should prioritize rapid browser updates across managed endpoints. Public reporting credits **Shaheen Fazim** with discovering and reporting the vulnerability (reported Feb 11, 2026), while Google has not disclosed exploit details, threat actor attribution, or targeting information beyond confirming that an exploit exists in the wild.
Mar 21, 2026
Google Chrome Zero-Day CVE-2026-2441 Exploited in the Wild
Google released an urgent *Chrome for Desktop* Stable Channel update to address **CVE-2026-2441**, a high-severity zero-day that Google said has an exploit **active in the wild**. The issue is a **use-after-free in Chrome’s CSS component**, a memory-corruption flaw that can enable code execution in the browser context when a user visits a malicious or compromised webpage; the vulnerability was reported to Google by researcher **Shaheen Fazim**. The Canadian Centre for Cyber Security echoed the need to patch Chrome, advising organizations to update beyond affected Stable Channel versions (Windows/Mac prior to `145.0.7632.68` and Linux prior to `144.0.7559.67`), while third-party reporting indicated patched Stable builds rolling out to `145.0.7632.75/.76` (Windows/Mac) and `144.0.7559.75` (Linux). Other Canadian Centre advisories published in the same period covered unrelated vendor patches for **Tenable Nessus Agent** (CVE-2026-2026), **Juniper Secure Analytics (JSA)**, **HPE SimpliVity** (Intel firmware advisories), and **PostgreSQL** point releases; these are separate remediation items and not part of the Chrome zero-day event.
Mar 21, 2026