YT YdRmNE

Two Newly Discovered Chrome Zero-Days Exploited in the Wild to Run Malicious Code

Google has issued an urgent security update for its Chrome desktop browser to patch two critical zero-day vulnerabilities.

Tracked as CVE-2026-3909 and CVE-2026-3910, both flaws are classified as high-severity and are confirmed to be actively exploited by attackers in the wild.

Users are strongly advised to update their browsers immediately to protect against potential malicious code execution and system compromise.

Technical Details of the Vulnerabilities

The March 12, 2026, Stable Channel update resolves two major security flaws discovered by Google’s internal teams on March 10, 2026.

The first vulnerability, CVE-2026-3909, involves an “out-of-bounds write” flaw within Skia. Skia is the core open-source 2D graphics engine used by Chrome.

An “out-of-bounds write” occurs when a program writes data beyond the intended memory buffer’s boundaries, potentially allowing attackers to crash the browser or execute arbitrary malicious code.

The second vulnerability, CVE-2026-3910, stems from an “inappropriate implementation” in V8. V8 is the high-performance JavaScript and WebAssembly engine powering the browser.

An implementation flaw in such a critical component can allow threat actors to bypass security sandboxes, manipulate browser memory, and run unauthorized scripts stealthily in the background.

Google explicitly confirms that exploits for both CVE-2026-3909 and CVE-2026-3910 currently exist in the wild, confirming active targeting by cybercriminals or state-sponsored actors.

Attackers can deceive users into visiting a specially crafted malicious website, triggering these flaws without requiring additional interaction from the victim.

Access to the precise technical details of these vulnerabilities is restricted until the majority of users have patched to mitigate abuse.

Patching and Mitigation Strategies

Users and administrators must prioritize applying the latest patches to secure networks. The fixed versions are rolling out gradually.

To mitigate threats, ensure installation of:

  • Windows and Mac users: Chrome version 146.0.7680.75 or 146.0.7680.76.
  • Linux users: Chrome version 146.0.7680.75.
  • Other Chromium-based browsers (Microsoft Edge, Brave, Vivaldi): Monitor vendors for corresponding updates.

To update Chrome manually, visit the Chrome menu > Help > About Google Chrome. The browser will automatically check for updates and prompt for a restart to apply the patch securely.

While Google relies on advanced internal testing frameworks like AddressSanitizer and MemorySanitizer to identify flaws, rapid user patching remains the most effective defense against active zero-day exploitation.

Related Articles

Back to top button