Bright Nexus

Published on March 14, 2026

Two New Google Chrome Zero-Day Vulnerabilities Actively Exploited for Code Execution

Severity

High

Detail

Google has released an emergency update for the Chrome browser after discovering two high-severity zero-day vulnerabilities, tracked as CVE‑2026‑3909 and CVE‑2026‑3910, which are actively exploited in the wild. These vulnerabilities could allow attackers to execute arbitrary code, bypass browser protections, and potentially compromise host systems.

CVE IDSummaryImpactCVSS Score
CVE‑2026‑3909An out-of-bounds write vulnerability in Skia, Chrome’s graphics engine, potentially enabling memory corruption and arbitrary code execution.Arbitrary code execution, sandbox bypass8.8 (high)
CVE‑2026‑3910An inappropriate implementation flaw in V8, Chrome’s high-performance JavaScript engine, which could be triggered via malicious web content to manipulate browser processes and compromise systems.  Arbitrary code execution, memory manipulation8.8 (high)

Google confirmed that both vulnerabilities are already exploited in real-world attacks but has withheld technical details to prevent further misuse. Attackers leveraging these flaws could bypass Chrome’s sandbox protections, manipulate browser memory, or execute arbitrary commands on the affected system. Zero-day flaws like these are particularly dangerous because they are exploited before patches are widely available.

Affected Products

These vulnerabilities affect Google Chrome as per follows:

  • Windows and macOS: Google Chrome versions 146.0.7680.74 and earlier.
  • Linux: Google Chrome versions 146.0.7680.74 and earlier. On Linux, updates rely on the system’s package manager, so patch timing may vary. Exploit behaviors may differ slightly due to sandboxing, user permissions, and library dependencies.

Recommendation

To mitigate these vulnerabilities, implement the following measures:

  • Update Chrome immediately to version 146.0.7680.75 or later
  • Restart the browser to ensure patches are applied
  • Enable automatic updates to prevent future exploitation
  • Monitor systems for unusual browser behaviors or unexpected processes.

Source
https://cyberpress.org/two-new-google-chrome-zero-day-vulnerabilities/

https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks