Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8

Google has released urgent security updates for its Chrome browser to fix two high-severity zero-day vulnerabilities that are actively being exploited in the wild. The flaws impact the Skia 2D graphics library and the V8 JavaScript and WebAssembly engine.

The vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, both carry a CVSS score of 8.8. CVE-2026-3909 is an out-of-bounds write vulnerability in Skia that could allow remote attackers to access memory through crafted HTML content. CVE-2026-3910 involves an improper implementation in the V8 engine, enabling remote code execution inside a sandbox via malicious HTML.

Discovered and reported internally by Google on March 10, 2026, details about the active exploits and threat actors have not been publicly disclosed to prevent further abuse. The tech giant confirmed awareness of in-the-wild exploitation for both vulnerabilities.

This marks the third actively exploited Chrome zero-day patched by Google in 2026, following a high-severity use-after-free flaw in the CSS component (CVE-2026-2441).

Users are strongly advised to update Chrome immediately to versions 146.0.7680.75/76 on Windows and macOS, and 146.0.7680.75 on Linux. Updates can be installed via More > Help > About Google Chrome, then selecting “Relaunch.” Users of Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also apply updates as they are released.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on March 13, 2026, directing Federal Civilian Executive Branch agencies to apply patches by March 27, 2026.

These updates reinforce the importance of maintaining the latest browser versions to protect against actively weaponized exploits targeting widely used components in modern web browsers.