Google has released an urgent security update for its Chrome browser after confirming that two high-severity zero-day vulnerabilities are being actively exploited in the wild.
The stable channel has been updated to version 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux, with the rollout expected to reach users over the coming days and weeks.
Both vulnerabilities were reported internally by Google’s own security team on March 10, 2026, and carry a High severity rating, underscoring the seriousness of the threat to Chrome users worldwide.
CVE-2026-3909: Out-of-Bounds Write in Skia
The first flaw, tracked as CVE-2026-3909, is an out-of-bounds write vulnerability residing in Skia, the open-source 2D graphics engine that powers Chrome’s rendering pipeline.
Out-of-bounds write bugs are particularly dangerous because they allow attackers to overwrite adjacent memory regions, potentially enabling arbitrary code execution or application crashes.
When exploited in a browser context, this type of vulnerability can be leveraged to escape sandbox protections and execute malicious code on the victim’s system.
CVE-2026-3910: Inappropriate Implementation in V8
The second vulnerability, CVE-2026-3910, involves an inappropriate implementation in V8, Chrome’s high-performance JavaScript and WebAssembly engine.
Flaws in V8 are a persistent target for threat actors because JavaScript is constantly executed during normal web browsing, creating abundant exploitation opportunities. An attacker could craft a malicious webpage that, when visited, triggers the flaw to execute code in the context of the browser process.
Google has explicitly confirmed that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild, making this a critical update for individuals and organizations alike.
Technical details about the bugs and any associated bug tracker entries remain restricted until a significant portion of the user base has applied the patch, a standard practice to prevent further exploitation before systems are protected.
Mitigations
Users and administrators should update Chrome immediately to mitigate exposure. To manually trigger an update:
Open Chrome and navigate to Menu → Help → About Google Chrome
Chrome will automatically check for and apply the latest update
Restart the browser to complete the installation
Organizations managing Chrome deployments through enterprise policies should prioritize pushing version 146.0.7680.75/76 across their environment without delay.
Given the active exploitation status of both flaws, waiting for the automatic rollout is not advisable for high-risk environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Chrome Zero-Day Vulnerabilities Actively Exploited in the Wild to Execute Malicious Code appeared first on Cyber Security News.
