Double Zero-Day Threat: Emergency Chrome Update Patches Actively Exploited Skia and V8 Flaws

In a significant update to the Chrome Stable channel, Google has patched two high-severity vulnerabilities that threat actors are currently exploiting in the wild. This emergency rollout brings the browser to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux users. Given the active exploitation of these flaws, immediate manual updates are highly recommended for all users to prevent potential system compromise.

The first vulnerability, identified as CVE-2026-3909, is a high-severity out-of-bounds write flaw within the Skia graphics engine. Skia is a critical component responsible for rendering 2D graphics, and such memory corruption issues can typically allow an attacker to execute arbitrary code or cause the browser to crash by writing data outside the intended buffer. Reported by Google researchers on March 10, 2026, the specific technical details of the exploit remain restricted to the public until a majority of users have successfully updated their software.

The second critical fix addresses CVE-2026-3910, a high-severity inappropriate implementation bug found in the V8 JavaScript engine. V8 is the high-performance engine that executes JavaScript within the browser, and flaws in its implementation are frequently targeted by attackers seeking to escape the Chrome sandbox. This vulnerability was also identified and reported by Google on March 10, 2026.

Google has explicitly stated that it is “aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.”

To protect your system, it is recommended to:

• Check for Updates: Navigate to Settings -> About Chrome to trigger the manual update process.
• Relaunch: Ensure the browser is restarted to apply the security patches.
• Monitor Managed Environments: Systems administrators should prioritize the rollout of version 146.0.7680.75 across their fleets to mitigate the risk of these zero-day attacks.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.