Google rushes Chrome update fixing two zero-days already under attack

Steven

Google rushes Chrome update fixing two zero-days already under attack

Summary

Google has released an emergency Chrome Stable update for Windows, macOS and Linux to patch two actively exploited zero-day vulnerabilities: CVE-2026-3909 (an out-of-bounds write in the Skia graphics library) and CVE-2026-3910 (an inappropriate implementation issue in the V8 JavaScript/WebAssembly engine). Exploits for both flaws are reported to be in the wild; Google is withholding technical details while rollout completes. The update should arrive automatically but can be triggered manually via Chrome’s settings and requires a browser restart.

Author style: Punchy — this is browser-level risk, so the article flags an urgent security fix you shouldn’t ignore. If this matters to you (it does), read the detail below.

Key Points

  • Two zero-days (CVE-2026-3909 in Skia and CVE-2026-3910 in V8) were patched in an emergency Chrome release.
  • Both vulnerabilities are reported to be actively exploited in the wild; Google has limited disclosure pending broad updates.
  • Skia bug is a memory corruption (out-of-bounds write) that can lead to crashes or potential code execution.
  • V8 bug affects the JavaScript/WebAssembly engine; such bugs can be triggered by visiting a malicious or compromised site.
  • The update is included in the Stable channel for desktop platforms and should install automatically; a manual update and browser restart will ensure protection immediately.

Context and Relevance

This patch follows another Chrome zero-day fixed in February (CVE-2026-2441), bringing the browser’s count of actively exploited bugs in 2026 to three. Browser engines and graphics libraries remain high-value targets because successful exploitation can let attackers run code or escape sandboxes. Google’s policy of delaying technical disclosure until updates are widespread is standard practice to avoid handing attackers operational details.

Organisations and individuals that rely on Chrome — particularly those with high-exposure browsing scenarios or legacy security controls — should ensure devices are updated promptly. The fixes were discovered internally by Google; the company also reported substantial bug-bounty payouts in 2025, highlighting ongoing crowdsourced vulnerability discovery alongside internal research.

Why should I read this

Heads up — attackers are already using these bugs. If your Chrome is nagging for a restart, do it now. This summary saves you the time: update straight away, or you risk visiting a page that could exploit your browser.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/13/google_zeroday_chrome_update/