Google on Thursday released security updates for its Chrome web browser to fix two high-severity vulnerabilities, CVE-2026-3909 and CVE-2026-3910, that the company said have been exploited in the wild. The flaws affect the Skia 2D graphics library and the V8 JavaScript and WebAssembly engine and were both discovered and reported by Google on March 10, 2026.
CVE-2026-3909, rated CVSS 8.8, is an out-of-bounds write vulnerability in Skia that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page. CVE-2026-3910, also rated CVSS 8.8, is an inappropriate implementation vulnerability in V8 that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Google said it is aware that exploits for both vulnerabilities exist in the wild, but did not disclose additional details about the attacks or who is behind them. The company said it withheld those details to prevent other threat actors from exploiting the issues, a practice it has also followed in other browser security incidents, including cases where Chrome extensions turned malicious after ownership transfers and older Chromium issues such as a critical Chromium Blink vulnerability drew attention to browser attack surfaces.
The Hacker News reported that Google has now patched three actively exploited Chrome zero-days since the start of 2026. The latest fixes come less than a month after the company addressed CVE-2026-2441, a high-severity use-after-free flaw in Chrome’s CSS component that had also been exploited as a zero-day.
CISA adds both Chrome flaws to KEV catalog
The U.S. Cybersecurity and Infrastructure Security Agency added both Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog on March 13, 2026. The agency directed Federal Civilian Executive Branch agencies to apply the fixes by March 27, 2026.
Google’s Chrome release notes show the browser was updated to version 146.0.7680.80 for Windows, macOS, and Linux on March 13, 2026. The company said access to bug details and related links may remain restricted until a majority of users are updated with a fix.
