Google has pushed an emergency update to Chrome to patch two previously unknown vulnerabilities that attackers are already exploiting in real-world campaigns. The company confirmed Thursday that both flaws are in active use by malicious actors, even as patches begin rolling out to users.
The two vulnerabilities, CVE-2026-3910 and CVE-2026-3909, have CVSS severity ratings of 8.8, placing them in the high-risk category. CVE-2026-3909 is an out-of-bounds write flaw in Skia, Chrome's graphics library, while CVE-2026-3910 is an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine.
The nature of these vulnerabilities explains why attackers have moved quickly to exploit them. Out-of-bounds write bugs allow attackers to overwrite adjacent memory regions, potentially enabling arbitrary code execution or application crashes, and when exploited in a browser context, this type of vulnerability can be leveraged to escape sandbox protections and execute malicious code on the victim's system. Flaws in V8 are a persistent target for threat actors because JavaScript is constantly executed during normal web browsing, creating abundant exploitation opportunities.
What makes these attacks particularly dangerous is the minimal user interaction required. An attacker can trigger these flaws by tricking a user into visiting a specially crafted malicious website without requiring any additional interaction from the victim.
Google discovered both security flaws and patched them within two days of reporting, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems. However, the rollout is gradual. The update is being rolled out gradually over the coming days and weeks, meaning many Chrome users will remain vulnerable for some time.
The company is withholding technical details about the vulnerabilities from public view. Access to bug details and links will remain restricted until a majority of users are updated with a fix, and Google will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven't yet fixed. This is standard practice; full disclosure before patches reach most users would hand attackers a blueprint for expanding their campaigns.
Users need not wait for automatic updates. Chrome allows manual updates through the Settings menu. Reopening the browser after updating is necessary to apply the patches.
Last year, Google fixed a total of eight zero-days exploited in the wild, many of which were reported by Google's Threat Analysis Group, a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks. This year's pace is concerning. These are the second and third actively exploited Chrome zero-days patched since the start of 2026, with the first being CVE-2026-2441, an iterator invalidation bug in Chrome's CSS font feature values implementation, addressed in mid-February.
The pattern highlights a troubling reality for browser security. As Chrome's market dominance grows, it remains a primary target for sophisticated attackers seeking to compromise systems at scale. Users and organisations managing enterprise Chrome deployments should treat these updates as urgent rather than routine.