Google has released emergency security updates for Chrome to fix two high-severity vulnerabilities that are already being exploited in real-world attacks.
The company confirmed that both flaws, tracked as CVE-2026-3909 and CVE-2026-3910, have active exploits in the wild.
The first vulnerability, CVE-2026-3909, is an out-of-bounds write issue found in Skia, an open source 2D graphics library used by Chrome to render web content and user interface elements. If exploited, the flaw could allow attackers to crash the browser or potentially execute malicious code on a victim’s system.
The second vulnerability, CVE-2026-3910, involves an inappropriate implementation issue in the V8 engine, which powers Chrome’s JavaScript and WebAssembly functionality. This engine is responsible for running scripts on websites, making it a critical component of the browser.
Google said both security flaws were patched within two days after being reported. The fixes have been released in the Stable Desktop channel with Chrome version 146.0.7680.75 for Windows and Linux and version 146.0.7680.76 for macOS.
Although the update is now available, Google warned that it may take days or even weeks before it reaches all users globally. Users who want to receive the patch immediately can manually check for updates in Chrome or allow the browser to install updates automatically the next time it is restarted.
The company did not disclose detailed information about the attacks using these vulnerabilities. Google explained that it limits access to bug details until most users have installed the fix, especially when the flaws involve third-party libraries that may still be vulnerable in other software projects.
These vulnerabilities are the second and third Chrome zero-day flaws discovered and patched in 2026. The first one this year, tracked as CVE-2026-2441, was fixed in February and involved an iterator invalidation issue in Chrome’s CSSFontFeatureValuesMap implementation.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google also shared new data about its security research program. The company revealed that it paid more than 17 million dollars to 747 security researchers through its Vulnerability Reward Program during 2025 for reporting security flaws across its products.
