Google has released a security update for Chrome to fix two high severity vulnerabilities that are already being exploited in real world attacks.
Quick Summary – TLDR:
- Google fixed two actively exploited Chrome vulnerabilities tracked as CVE-2026-3909 and CVE-2026-3910.
- The flaws affect Skia graphics library and the V8 JavaScript engine used in Chrome.
- Both vulnerabilities can be triggered using maliciously crafted HTML pages.
- Users are advised to update Chrome immediately to the latest available versions.
What Happened?
Google has released an urgent security update for the Chrome web browser to address two high severity vulnerabilities that attackers are already exploiting in the wild. The flaws were discovered by Google researchers and were fixed shortly after being reported.
The company confirmed the active exploitation and warned users to update their browsers as soon as the patched versions become available.
Google has issued an urgent security update for its Chrome browser after confirming that two high-severity zero-day vulnerabilities are actively being exploited in the wild.
— GuardingPearSoftware (@GuardingPearSof) March 13, 2026
The vulnerabilities allow attackers to execute malicious code on a victim’s system. Users are advised to… pic.twitter.com/EC6SCmrKuh
Two Serious Vulnerabilities Identified
The vulnerabilities are tracked as CVE-2026-3909 and CVE-2026-3910, and both carry a CVSS severity score of 8.8, placing them in the high risk category.
According to Google, both issues could allow attackers to compromise systems if a victim opens a specially crafted web page.
The vulnerabilities include:
- CVE-2026-3909 – An out of bounds write vulnerability in the Skia 2D graphics library, which is responsible for rendering web content and user interface elements in Chrome. Attackers could exploit the flaw to cause memory corruption or potentially execute code.
- CVE-2026-3910 – An inappropriate implementation issue in the V8 JavaScript and WebAssembly engine, which could allow a remote attacker to run arbitrary code inside the browser sandbox using a crafted HTML page.
Both vulnerabilities were discovered and reported by Google on March 10, 2026.
Google confirmed the situation in its advisory, stating:
“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.”
As is standard practice with active vulnerabilities, the company has not released detailed technical information about the attacks or the threat actors involved. Limiting this information helps prevent additional attackers from exploiting the issues before most users install the updates.
Chrome Updates Rolling Out
Google has already released patched versions of Chrome for desktop users. The Stable channel has been updated to the following versions:
- Windows: 146.0.7680.75
- macOS: 146.0.7680.76
- Linux: 146.0.7680.75
The update is rolling out gradually and may take several days or weeks to reach all users automatically.
Users can manually install the update by navigating to:
More > Help > About Google Chrome
Chrome will automatically check for updates and prompt users to relaunch the browser once the update is installed.
Part of a Growing Trend of Chrome Zero Day Fixes
The latest fixes come shortly after Google patched another actively exploited vulnerability earlier this year.
In February 2026, the company addressed CVE-2026-2441, a use after free vulnerability in Chrome’s CSS component that attackers were already exploiting.
With the latest fixes, three actively exploited Chrome zero-day vulnerabilities have been patched in 2026 so far.
The previous flaw was reported by security researcher Shaheen Fazim and could potentially allow attackers to compromise affected systems.
During 2025, Google fixed eight Chrome zero day vulnerabilities, many of which were discovered by the company’s Threat Analysis Group, a team known for tracking sophisticated cyber threats including spyware campaigns.
Security Researchers Continue to Play a Key Role
Google also highlighted the importance of external security researchers in identifying vulnerabilities. Through its Vulnerability Reward Program, the company paid more than 17 million dollars to 747 researchers in 2025 for responsibly reporting security issues.
These programs encourage researchers to disclose flaws safely so companies can fix them before attackers widely exploit them.
Users of Chromium Based Browsers Should Also Update
The vulnerabilities affect the Chromium engine, which means users of other Chromium based browsers should also watch for updates.
Affected browsers may include:
- Microsoft Edge
- Brave
- Opera
- Vivaldi
Security patches will likely arrive for these browsers once their developers integrate the latest Chromium updates.
SQ Magazine Takeaway
In my view, this situation highlights how quickly browser vulnerabilities can become real world threats. Chrome is one of the most widely used browsers on the internet, so even a single flaw can put millions of users at risk.
The fact that attackers were already exploiting both vulnerabilities makes fast updates extremely important. If you use Chrome or any Chromium based browser, updating immediately is one of the simplest and most effective ways to stay protected online.
