Google Patches Two New Chrome Zero-Day Vulnerabilities Exploited in Real-World Attacks

Google Releases Emergency Patches for Two Chrome Zero-Days

Google has issued urgent security updates to address two high-severity vulnerabilities in its Chrome browser, which have been exploited in zero-day attacks.

Details of the Vulnerabilities

The company has confirmed that exploits for both CVE-2026-3909 and CVE-2026-3910 are circulating in the wild.

The first vulnerability, CVE-2026-3909, is an out-of-bounds write flaw in the Skia graphics library, which is used to render web content and user interface elements. This weakness can be leveraged by attackers to crash the browser or potentially execute arbitrary code.

The second vulnerability, CVE-2026-3910, is an implementation flaw in the V8 JavaScript and WebAssembly engine.

Updates and Response

Google discovered both vulnerabilities and released patches within a 48-hour period, with updated versions of Chrome rolling out to Windows, macOS, and Linux systems.

The updated versions are 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS.

Although the out-of-band update may take several days or weeks to reach all users, it is available immediately for those who manually check for updates.

Context and Previous Incidents

These two vulnerabilities are the second and third actively exploited Chrome zero-days patched by Google this year.

In mid-February, the company addressed CVE-2026-2441, an iterator invalidation bug in Chrome’s implementation of CSS font feature values.

Last year, Google fixed a total of eight zero-days exploited in the wild, many of which were reported by the company’s Threat Analysis Group.

Related Development

In a related development, Google announced that it has paid over $17 million to 747 security researchers who reported security flaws through its Vulnerability Reward Program in 2025.

About Author

Vaibhav

See author's posts