Google Fixes Two Actively Exploited Chrome Zero-Day Flaws

[harlan4096]

Google has released an out-of-band Chrome update to fix two high-severity zero-day vulnerabilities being actively exploited in the wild. The update is available now for Windows, macOS, and Linux.

"Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday.

Target versions: Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75).

The Two Zero-Day Vulnerabilities

CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses to render web content and user interface elements. Out-of-bounds write flaws in rendering components can allow attackers to crash the browser or achieve code execution.

CVE-2026-3910 is an inappropriate implementation vulnerability in V8, Chrome's JavaScript and WebAssembly engine. Google has not published technical details for either flaw while the update is still rolling out to users.

Google discovered both vulnerabilities internally and issued patches within two days of reporting.

Continue Reading...