Emergency Chrome updates patch two zero-day vulnerabilities already being exploited by attackers, marking the second and third such incidents this year.
Google released out-of-band security fixes on Thursday for two high-severity flaws affecting core browser components. Tracked as CVE-2026-3909 and CVE-2026-3910, the vulnerabilities target Skia's 2D graphics library and V8's JavaScript engine respectively.
Both issues allow remote code execution when users visit malicious websites, with low attack complexity increasing real-world risk. Google confirmed active exploitation before patches became available, though technical details remain restricted until most users update.
The first vulnerability involves an out-of-bounds write weakness in Skia, which handles web content rendering and interface elements. Attackers can exploit this to crash browsers or execute arbitrary code within sandboxed environments.
CVE-2026-3910 stems from inappropriate implementation in V8, Chrome's JavaScript engine responsible for executing webpage scripts. Successful exploitation could enable attackers to bypass security boundaries through crafted HTML pages.
These represent the second and third actively exploited Chrome zero-days patched since January 2026, following a February fix for CVE-2026-2441 affecting CSS font handling. Last year saw eight total Chrome zero-days exploited in attacks, many identified by Google's Threat Analysis Group tracking spyware operations.
Updated versions include Chrome 146.0.7680.75/76 for Windows and macOS, with Linux receiving 146.0.7680.75. Users should enable automatic updates or manually check through browser settings, requiring restart to complete installation.
Google discovered both flaws internally on March 10 and delivered patches within approximately two days of reporting.
The Cybersecurity and Infrastructure Security Agency added both vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agency remediation by March 27. The company also revealed paying over $17 million to 747 security researchers through its Vulnerability Reward Program in 2025.
