Google has released an out-of-band Chrome update to fix two high-severity zero-day vulnerabilities being actively exploited in the wild. The update is available now for Windows, macOS, and Linux.
"Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a security advisory published on Thursday.
Target versions: Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75).
The Two Zero-Day Vulnerabilities
CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses to render web content and user interface elements. Out-of-bounds write flaws in rendering components can allow attackers to crash the browser or achieve code execution.
CVE-2026-3910 is an inappropriate implementation vulnerability in V8, Chrome's JavaScript and WebAssembly engine. Google has not published technical details for either flaw while the update is still rolling out to users.
Google discovered both vulnerabilities internally and issued patches within two days of reporting.
How to Install the Emergency Chrome Update
Chrome updates automatically, but the fix can be applied immediately by going to Settings > Help > About Google Chrome. The browser will check for and install the update, requiring a relaunch to apply.
Google states the update could take days or weeks to reach all users through the standard rollout process.
Context and Previous Chrome Zero-Day Exploits
These are the second and third actively exploited Chrome zero-days patched in 2026. The first, CVE-2026-2441, an iterator invalidation bug in CSSFontFeatureValuesMap, was fixed in mid-February. Google patched eight actively exploited Chrome zero-days across all of 2025.
Google has not shared details about the attacks exploiting these flaws and states that bug details will remain restricted until a majority of users have applied the fix.
Thank you for being a Ghacks reader. The post Google Patches Two Chrome Zero-Day Vulnerabilities Exploited in Active Attacks appeared first on gHacks.
0 Commentaires