An urgent warning regarding two highly critical zero-day vulnerabilities affecting Google Chrome and related products.
These flaws have been officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating that malicious hackers are actively exploiting them in the wild.
With the deadline for federal agencies to apply patches rapidly approaching, organizations and individual users are strongly advised to update their browsers and affected applications immediately. The two newly cataloged security flaws impact core components of the Chromium engine.
Vulnerabilities Breakdown
CVE-2026-3909 (Google Skia Out-of-Bounds Write): Skia is the 2D graphics library used by Chrome and other platforms.
This vulnerability occurs when the software writes data past its intended memory limits, allowing a remote attacker to access out-of-bounds memory simply by tricking a user into visiting a crafted HTML page.
CVE-2026-3910 (Google Chromium V8 Improper Restriction): V8 is the JavaScript engine powering Chromium. This flaw involves improper restrictions on operations within a memory buffer.
Like the Skia vulnerability, an attacker can use a malicious HTML page to trigger the flaw, potentially allowing them to execute arbitrary code within a restricted sandbox environment.
Both of these vulnerabilities rely heavily on social engineering or compromised websites to succeed. Threat actors typically lure victims to a harmful webpage or hijack a legitimate site to host their specially crafted HTML pages.
When a victim’s vulnerable browser loads the compromised page, the exploit is triggered instantly in the background.
CISA says active ransomware use is unconfirmed, but these flaws enable code execution and memory access, making them highly valuable.
Cybercriminals and state-sponsored threat groups routinely use these types of memory vulnerabilities to deploy malware or steal sensitive data.
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch these vulnerabilities by March 27, 2026.
Although this binding operational directive applies directly to government agencies, private organizations, and individual users, private organizations and individual users should treat this timeline as a critical priority.
To protect your systems against these zero-day attacks, follow these mitigation steps:
Update Google Chrome to the latest available version immediately.
Ensure that other Chromium-based browsers, such as Microsoft Edge and Opera, are fully up to date.
Apply the latest security patches for Android devices, ChromeOS, and Flutter applications.
Follow applicable CISA BOD 22-01 guidance if your organization utilizes cloud services connected to these vulnerable products.
Discontinue the use of the affected products entirely if you are unable to apply the vendor-provided security patches.
Prompt patching is the most effective defense against active exploitation. Security teams should continuously monitor vendor advisories and push updates to their networks as soon as they become available.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns of Chrome 0-Day Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.
