Chrome Zero-Days Under Active Exploitation: Two Flaws in Skia and V8, Patch Now

CybrPulse

CybrPulse

2 min read
Chrome Zero-Days Under Active Exploitation: Two Flaws in Skia and V8, Patch Now

title: "Chrome Zero-Days Under Active Exploitation: Two Flaws in Skia and V8, Patch Now"

slug: chrome-zero-days-cve-2026-3909-3910-active-exploitation

tags: [chrome, zero-day, google, browser-security, cve]

excerpt: "Google rushed out an emergency Chrome update today patching CVE-2026-3909 and CVE-2026-3910 — two high-severity zero-days already being exploited in the wild. Don't wait for auto-update."

Google confirmed this morning that two Chrome zero-days are under active exploitation. Both vulnerabilities are patched in today's emergency out-of-band update. If you or your users are running Chrome, you need to manually trigger this update — the auto-rollout can take days to weeks.

What's Being Exploited

CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library Chrome uses to render web content and the browser UI. Out-of-bounds writes in rendering components are dangerous: they can crash the browser or, depending on the exploit quality, enable arbitrary code execution. No user interaction beyond visiting a malicious or compromised site is required to trigger this class of bug.

CVE-2026-3910 is an inappropriate implementation flaw in V8, Chrome's JavaScript and WebAssembly engine. Google is withholding technical details on both vulnerabilities until the patch has reached enough users — standard practice when exploits are already circulating.

The patched versions are 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS. Google says it discovered both vulnerabilities internally and had patches out within two days of the report.

How to Update Right Now

Chrome auto-updates, but that rollout can drag for weeks. Don't wait. Go to:

Settings → Help → About Google Chrome

Chrome will pull the update immediately. You'll need to relaunch the browser to apply it. That's it.

For enterprise environments using MDM, Intune, or Group Policy — push this now. Don't rely on the organic rollout to cover your endpoints in any reasonable timeframe.

Context: 2026 Is Already a Bad Year for Chrome Zero-Days

This is the second and third actively exploited Chrome zero-days patched in 2026, and we're three months in. The first, CVE-2026-2441 — an iterator invalidation bug in CSSFontFeatureValuesMap — was patched in mid-February. Google patched eight actively exploited Chrome zero-days across all of 2025.

Three in under three months puts 2026 on pace to double that. Whether that's attackers getting smarter, internal discovery improving, or something about the Chrome 146 branch that created new attack surface — the trend is moving in the wrong direction.

What This Means for Defenders

Skia and V8 are not obscure components. Skia renders essentially everything on screen; V8 executes essentially every JavaScript payload your users load. Bugs in both are attractive to sophisticated actors targeting browsers as an initial access vector — no phishing attachment needed, just a link.

The current attack context is unknown. Google hasn't disclosed what the exploits look like, who's being targeted, or whether these are being chained with privilege escalation bugs. That information is deliberately held back to protect the patch rollout. Watch for Google's technical disclosure once the majority of users are patched.

In the meantime, your exposure window is however long it takes you to update Chrome across your environment. That window opened this morning.

The Short Version

  • CVE-2026-3909: Skia out-of-bounds write — code execution risk
  • CVE-2026-3910: V8 inappropriate implementation — actively exploited, details withheld
  • Patch: Chrome 146.0.7680.75 (Windows/Linux) / 146.0.7680.76 (macOS)
  • Action: Force update now via Settings → Help → About Google Chrome, or push via MDM
  • Context: 3rd actively exploited Chrome zero-day in 2026, pace is accelerating

Read more