Google has released an urgent security update for its Chrome desktop browser to address two critical zero-day vulnerabilities.
Tracked as CVE-2026-3909 and CVE-2026-3910, both flaws are categorized as high-severity and are confirmed to be actively exploited by attackers in the wild.
Users are strongly advised to update their browsers immediately to protect against potential malicious code execution and system compromise.
Technical Details of the Vulnerabilities
The March 12, 2026, Stable Channel update specifically resolves two major security flaws discovered by Google’s own internal teams on March 10, 2026.
The first vulnerability, CVE-2026-3909, is an “out-of-bounds write” flaw located in Skia. Skia is an open-source 2D graphics library that serves as the core graphics engine for Chrome.
An out-of-bounds write occurs when a program writes data past the intended boundary of an allocated memory buffer.
Attackers can exploit this memory corruption to crash the browser or execute arbitrary malicious code on the victim’s device.
The second vulnerability, CVE-2026-3910, is an “inappropriate implementation” in V8. V8 is the high-performance JavaScript and WebAssembly engine that powers the browser.
When an implementation flaw exists in such a critical component, it often allows threat actors to bypass security sandboxes, manipulate browser memory, and run unapproved scripts stealthily in the background.
Google has explicitly acknowledged that exploits for both CVE-2026-3909 and CVE-2026-3910 currently exist in the wild.
This confirms that cybercriminals or state-sponsored threat actors are actively utilizing these vulnerabilities in real-world attack campaigns.
By tricking a user into visiting a specially crafted malicious website, an attacker could trigger these flaws without requiring any additional interaction from the victim.
To prevent further abuse, Google is intentionally restricting access to the precise technical details of these bugs until a majority of the user base has successfully updated to a secure version.
Patching and Mitigation Strategies
Users and system administrators must prioritize applying the latest patches to secure their network environments. The fixed versions are rolling out gradually.
To mitigate these threats, verify and apply the following updates:
- Windows and Mac users must update to Chrome version 146.0.7680.75 or 146.0.7680.76.
- Linux users must update to Chrome version 146.0.7680.75.
- Users of other Chromium-based browsers like Microsoft Edge, Brave, or Vivaldi should monitor for and apply corresponding vendor updates immediately.
To update Google Chrome manually, navigate to the Chrome menu, select “Help,” and click on “About Google Chrome.”
The browser will automatically check for the latest update and prompt for a restart to apply the patch securely.
While Google relies heavily on advanced testing frameworks like AddressSanitizer and MemorySanitizer to catch these flaws internally, rapid user patching remains the most effective defense against active zero-day exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
