Two critical zero-days in Chrome have been patched by Google, but they were already being actively exploited.
Google has released an emergency update for Google Chrome that addresses two serious vulnerabilities currently being actively exploited in attacks. The vulnerabilities, CVE-2026-3909 and CVE-2026-3910, were discovered by Google and patched within two days. Updates have been released for Windows, macOS, and Linux.
Vulnerabilities in graphics engine and JavaScript engine
In a security advisory, Google writes that the first vulnerability, CVE-2026-3909, is located in Skia, an open-source 2D graphics library that Chrome uses to render web pages and interface elements. The issue involves an out-of-bounds write error that can lead to a browser crash or even the execution of malicious code. The second vulnerability, CVE-2026-3910, is in the V8 JavaScript engine, the engine behind JavaScript and WebAssembly in Chrome.
Update rolling out worldwide
The security patch is included in Chrome version 146.0.7680.75 for Windows and Linux and 146.0.7680.76 for macOS. According to Google, it may take several days to weeks for the update to automatically reach all users, though it can also be installed manually via the browser’s update function.
The two vulnerabilities have already been actively exploited in attacks, although Google did not release details on how or by whom. Furthermore, these are not the first zero-days this year. In February, Google already patched CVE-2026-2441, reports Bleeping Computer. This concerned a vulnerability in Chrome’s implementation of CSSFontFeatureValuesMap that was also being actively exploited.