Source Forbes
MOUNTAIN VIEW, CA — Google has issued an urgent “out-of-band” security update for its Chrome browser following the discovery of two high-severity zero-day vulnerabilities currently being exploited by hackers. The flaws impact the browser’s estimated 3.5 billion users across Windows, macOS, and Linux.
The tech giant confirmed on March 12, 2026, that it is aware of “exploits existing in the wild” for both vulnerabilities, which were discovered internally by Google’s security teams just days prior.
The Vulnerabilities at a Glance
The two bugs, tracked as CVE-2026-3909 and CVE-2026-3910, target core components of the Chrome engine. By luring a user to a specially crafted malicious website, an attacker could potentially execute code or access sensitive data.
CVE ID Component Vulnerability Type Potential Impact
CVE-2026-3909 Skia Out-of-bounds write Memory corruption and code execution
CVE-2026-3910 V8 Engine Inappropriate implementation.
CVE-2026-3909 resides in Skia, the open-source 2D graphics library used to render web content. Meanwhile, CVE-2026-3910 affects the V8 JavaScript engine, the part of Chrome responsible for running scripts. Security experts warn that while these attacks typically happen within the browser “sandbox,” they can still be used to steal session tokens, hijack accounts, or be paired with other exploits to take over a device.
CISA Steps In
The urgency of the situation was underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added both flaws to its Known Exploited Vulnerabilities catalog. CISA has ordered federal agencies to apply the patches by March 27, 2026, citing the high risk of data loss and unauthorized access.
How to Protect Your Device
Google has begun rolling out the fix in version 146.0.7680.75/.76. While the browser often updates automatically, users are encouraged to manually verify their version to ensure the patch is active.
To update Chrome manually:
Click the three dots (⋮) in the top-right corner.
Navigate to Help > About Google Chrome.
Chrome will automatically check for and download the update.
Crucial: Click Relaunch to apply the security fixes.
As of today, these represent the second and third zero-days patched in Chrome since the beginning of 2026, marking a busy start to the year for cybersecurity defenders.
