HIGH: Google Patches Two Chrome Zero-Days Actively Exploited in the Wild

If you're reading this article in Chrome, now would be a great time to check whether you've updated recently. Google just dropped emergency patches for not one but two high-severity zero-day vulnerabilities that attackers are actively exploiting right now, and the clock is ticking.

The twin flaws, tracked as CVE-2026-3909 and CVE-2026-3910, both carry a CVSS score of 8.8, putting them firmly in high severity territory. They target different components of Chrome's architecture but share something dangerous in common: both can be triggered simply by visiting a malicious webpage. No downloads, no user interaction beyond clicking a link. Just visit the wrong site and you're potentially compromised.

The first vulnerability sits in Skia, Chrome's 2D graphics rendering library. It's an out-of-bounds write flaw, which in plain English means an attacker can craft an HTML page that tricks Skia into writing data outside its designated memory space. This kind of bug is a classic stepping stone to remote code execution, letting attackers potentially run malicious code on your machine just by getting you to view their carefully constructed webpage.

The second flaw lives in V8, Chrome's JavaScript and WebAssembly engine. Google describes it as an inappropriate implementation issue, which is their polite way of saying the code doesn't behave the way the security model expects. What makes this one particularly nasty is that it enables sandbox escape, meaning an attacker who exploits it can break out of Chrome's security sandbox and potentially reach deeper into your system.

Google's own security team discovered both vulnerabilities on March 10, and in typical fashion for actively exploited bugs, the company isn't saying much about who's using them or how. That's standard practice in the industry since you don't want to hand other attackers a roadmap while users are still patching. What we do know is that Google has confirmed exploitation attempts are happening in the wild right now.

These patches bring the total to three Chrome zero-days that Google has had to scramble to fix since January 2026. Last month it was a use-after-free bug in the CSS component (CVE-2026-2441) that required emergency treatment. The pattern suggests either increased attacker sophistication, improved detection on Google's part, or both. Either way, it's a reminder that even the most popular browser on the planet remains a constant target.

The fixed versions are 146.0.7680.75 and 146.0.7680.76 for Windows and macOS, and 146.0.7680.75 for Linux. You can verify your version and trigger an update by going to Chrome's menu, then Help, then About Google Chrome. If you're on Microsoft Edge, Brave, Opera, Vivaldi, or any other Chromium-based browser, you'll want to watch for similar patches from those vendors since they share the affected codebase.

CISA isn't taking any chances either. The agency added both CVEs to its Known Exploited Vulnerabilities catalog on March 13, giving federal agencies until March 27 to apply the fixes. For the rest of us, the deadline should be considerably sooner than that. When attackers are already using exploits in the wild, every day you delay is a day you're running vulnerable.

The bottom line is simple. Update Chrome now. Not after you finish reading this article, not after lunch, now. It takes about thirty seconds and a browser restart. Given that exploitation is already happening in the wild, those thirty seconds are some of the best-invested time in your security posture today.