Google has rolled out security patches to address two serious security weaknesses in Chrome that are currently being used in zero-day attacks. According to the initial version of a note published on Thursday, the company said, “Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.”
CVE-2026-3909 was subsequently removed from the sentence, with Google publishing a separate note acknowledging it and saying that a security fix has been created. Google Chrome currently has 3.5 billion users, reported Forbes.
A zero-day vulnerability describes flaws that attackers are actively abusing before any update is released and often before the vendor is even aware of the problem.
Also Read: Google Acquires AI Security Platform That Detects Vulnerabilities In Product Before It's Built
The first security flaw, CVE-2026-3909, affects Skia, an open-source graphics framework used by Chrome to render web pages and interface visuals. The vulnerability stems from an out-of-bounds write error that could be exploited to crash the browser or potentially execute malicious code.
An out-of-bounds memory flaw is a type of vulnerability that can potentially allow attackers to execute code remotely when exploited. Simply opening a maliciously crafted website could be enough to trigger the exploit.
The second vulnerability, CVE-2026-3910, involves a faulty implementation within the V8 engine that powers JavaScript and WebAssembly functionality in the browser.
Google said it identified the issues and delivered patches within two days. Updated Chrome releases are now being deployed via the Stable Desktop channel for Windows (146.0.7680.75), macOS (146.0.7680.76) and Linux users (146.0.7680.75).
While Google confirmed that the vulnerability is being actively exploited, it has not released further information about the incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed,” it said.
Google noted that the update may take several days or even weeks to reach all Chrome users. Users who prefer not to install updates manually can allow the browser to check for them automatically and apply the update the next time Chrome is launched.
The newly fixed vulnerabilities mark the second and third Chrome zero-days known to have been actively exploited so far in 2026. The first, identified as CVE-2026-2441, was patched in mid-February and involved a flaw in CSSFontFeatureValuesMap, part of Chrome's system for handling CSS font feature values, according to BleepingComputer.
Also Read Using AI, Hackers Can Even Tell Where You Walk Your Dog — Here's How To Prevent That
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.
