Google addressed two high-severity vulnerabilities in the Chrome browser that have been exploited in attacks in the wild.
Google has released security updates to address two high-severity vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, in the Chrome browser. The company is aware of attacks in the wild exploiting both flaws.
“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.” reads the advisory published by the tech giant.
Google experts discovered both vulnerabilities on March 10, 2026. As usual, the company did not disclose details about the attacks exploiting these flaws or the threat actors involved.
Below are the descriptions for these vulnerabilities:
EXPLORE MORE
Missing Juvenile Sa’hij Fisher-Burton from the 12th District
Missing Juvenile Sa’hij Fisher-Burton from the 12th District | Philadelphia Police Department…
Canada refuses to release files on secret policing deal with China
(LifeSiteNews) — Canada’s federal government under Prime Minister Mark Carney declined to…
National broadcast campaign launches to expand awareness of abortion pill reversal
(LifeSiteNews) — Three major pro-life organizations launched a national public service announcement…
Robotic surgery firm Intuitive reports data breach after targeted phishing attack
Intuitive suffered a phishing attack leading to a data breach exposing customer,…
UK ‘Rape Gang Inquiry’ presentation goes viral as survivors reveal harrowing abuse
READER DISCRETION STRONGLY ADVISED. A labeled portion of the following article, and…
EU sanctions Chinese and Iranian actors over cyberattacks on critical infrastructure
EU sanctions Chinese and Iranian firms and individuals for cyberattacks targeting critical…
- CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library that lets a remote attacker trigger memory corruption by tricking a user into opening a specially crafted HTML page.
- CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine that lets a remote attacker run arbitrary code within the browser sandbox using a maliciously crafted HTML page.
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux. The update will roll out over the coming days and weeks. A full list of changes in this build is available in the log.
In mid-February, Google released urgent security updates to address another high-severity zero-day vulnerability, tracked as CVE-2026-2441 (CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks. The flaw is a use-after-free bug in the browser’s CSS component.
It was the first actively exploited Chrome zero-day fixed in 2026, after eight similar flaws were patched in 2025. An attacker could exploit the flaw to compromise affected systems. The issue was discovered and responsibly reported by security researcher Shaheen Fazim on February 11, 2026.
Google has confirmed that an exploit for CVE-2026-2441 exists in the wild, but has not shared details about how it is being used or which threat actor is behind the exploitation of the flaw.
