Two Chrome Zero-Days Are Being Exploited Right Now — Patch Today

CybrPulse

CybrPulse

2 min read
Two Chrome Zero-Days Are Being Exploited Right Now — Patch Today

CISA added two Google Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog today, and for once the urgency label actually fits. Both CVE-2026-3909 and CVE-2026-3910 are being actively exploited in the wild. If your Chrome hasn't updated in the last few days, you're exposed.

Google confirmed exploitation of both flaws in its advisory: "Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild." Federal agencies have until March 27, 2026 to patch — one of the shorter deadlines CISA hands out.

What You're Actually Looking At

CVE-2026-3909 is an out-of-bounds write in Skia, Chrome's 2D graphics rendering library. CVSS score: 8.8. The attack vector is straightforward — a specially crafted HTML page causes memory corruption. No additional privileges needed. Just visit the wrong page.

CVE-2026-3910 lives in V8, Chrome's JavaScript and WebAssembly engine. Same CVSS score: 8.8. A malicious HTML page can trigger arbitrary code execution within the browser sandbox. V8 bugs are particularly attractive to attackers because every Chrome user runs JavaScript, all the time, on everything.

Google's security team discovered both vulnerabilities on March 10, 2026. Five days later, the exploits are confirmed in the wild. That's a fast-moving window — and it means whoever is using these had them before Google patched.

The Fix Is Already Out

The patched version is Chrome 146.0.7680.75/76 on Windows and Mac, and 146.0.7680.75 on Linux. Google says the update will roll out over the coming days, but you shouldn't wait for it to find you.

To check your version: open `chrome://settings/help`. If Chrome sees an update available, it'll download it immediately. Restart to finish. Takes about 90 seconds.

Enterprise environments should prioritize this. Both vulnerabilities require nothing more than a user visiting a page — no download prompt, no macro to enable, no credential to phish. Drive-by exploitation is the whole threat model here.

Why Two at Once

It's not unusual for researchers to find related bugs in the same component cluster during a single research sprint. V8 and Skia are both high-complexity, performance-sensitive code paths with large attack surfaces. When someone is actively looking, they tend to find more than one.

What is notable is the speed of exploitation. Both CVEs were discovered on March 10 and by March 13 CISA is listing them as actively exploited. Either these were discovered in-the-wild first and then reported to Google (the typical zero-day timeline), or someone moved very fast from patch analysis to weaponization.

Google hasn't disclosed which threat actors are exploiting these flaws or what the targets look like. That's standard practice until a broader patch rollout is complete.

Bottom Line

This one is simple: update Chrome. Version 146.0.7680.75 closes both holes. If you manage a fleet, push it now and don't wait for the scheduled rollout.

CISA's March 27 federal deadline is actually generous given that exploits exist today. Treat your own deadline as "before you open Chrome next time."

CybrPulse picked up both CVEs in the security-news index on March 13, within hours of the CISA catalog update. If you want early warning on actively exploited vulnerabilities — before they hit the news cycle — that's what we're here for.

Read more