What happened?
On 13 March 2026, Google released urgent security updates for the Chrome web browser to address two high-severity vulnerabilities that were actively being exploited by threat actors. The two vulnerabilities — identified as CVE-2026-3909 and CVE-2026-3910 — both carry a CVSS score of 8.8, indicating a high risk to organisational data integrity and system availability.
These are known as zero-day vulnerabilities — so called because they were discovered and exploited by threat actors before a patch was available, giving developers zero days to fix them before the risk became active.
The discovery of these zero-days was reported by Google's internal security teams on 10 March 2026, and within three days, a patch for CVE-2026-3910 was developed and deployed to the stable channel. A patch for CVE-2026-3909 is expected soon.
CVE-2026-3909 — Skia Graphics Flaw
CVE-2026-3909 is a flaw in Skia, the graphics engine used by Google Chrome, affecting all versions before 146.0.7680.75. It allows an attacker to manipulate the browser's memory by tricking a user into visiting a malicious webpage.
Skia is used across many major platforms, including Chrome, Android and Flutter. By crafting a malicious webpage, an attacker can exploit this flaw to corrupt the browser's memory and overwrite important data. This can lead to:
- Data exposure: attackers can read sensitive information stored in the browser's memory
- Malicious code execution: attackers can hijack the browser to run their own code
- Browser crashes: causing the affected tab or the entire browser to stop working
CVE-2026-3910 - The V8 inappropriate implementation
CVE-2026-3910 involves an inappropriate implementation in V8 — Google's high-performance JavaScript and WebAssembly engine — in Google Chrome prior to version 146.0.7680.75. It allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
This designation often refers to logic errors within the engine's Just-In-Time (JIT) compiler or its optimisation phases. Simply visiting a compromised or malicious website is sufficient for an exploit to succeed. While the Chrome sandbox is designed to isolate the browser's rendering process, a V8 flaw of this nature can often be combined with other exploits to achieve a full sandbox escape.
CVE-2026-3909 and CVE-2026-3910 represent the second and third Chrome zero-days addressed in 2026, following a previous use-after-free bug in the CSS component (CVE-2026-2441).
So what?
These vulnerabilities matter — not just in a technical sense, but in terms of the very real and immediate risks they pose to businesses and individuals alike.
The threat is active right now
The exploitation of these vulnerabilities allows remote attackers to bypass traditional security controls. Critically, both flaws have been confirmed to be exploited in the wild, posing immediate risks to data integrity and system availability. This is not a theoretical threat — attackers are using these vulnerabilities today.
The Ransomware and Phishing Risk
The active exploitation of these zero-days underscores the importance of real-time threat intelligence. Many modern ransomware groups utilise initial access brokers who specialise in exploiting zero-day browser vulnerabilities to deploy stagers and loaders. Furthermore, exploit kits are frequently updated to include Chromium zero-days within days of their public acknowledgment.
Government authorities have taken notice
Both vulnerabilities have been formally added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalogue. In relation to CVE-2026-3909, CISA has set a required action deadline of 27 March 2026, directing organisations to apply mitigations per vendor instructions, follow applicable guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The same deadline and requirement applies to CVE-2026-3910.
Supply chain implications
Organisations utilising supply-chain risk monitoring must recognise that vulnerabilities in shared libraries like Skia impact not only browsers but any integrated application within the corporate stack. If your organisation relies on software that itself relies on Chromium or Skia, the exposure may be broader than it first appears.
What should I do?
The good news is that a patch is available. The key is to act immediately. Here is what we recommend:
For everyone
Organisations must update Chrome to version 146.0.7680.75 or higher to mitigate the risk. You can check your current version by:
- Opening Google Chrome
- Clicking the three-dot menu in the top-right corner
- Selecting Help > About Google Chrome
- Allowing the browser to check for and apply any available updates
You must be running Chrome version 146.0.7680.75 or 146.0.7680.76 (on Windows or macOS) or 146.0.7680.75 (on Linux) to be protected.
Importantly, restarting your browser is essential. Chrome may download updates silently in the background, but staff must be informed about the necessity of restarting their browsers to apply background updates.
For IT and security teams
A 24-hour patch cycle is recommended. Utilise unified endpoint management (UEM) or mobile device management (MDM) tools to force browser updates across the organisation. Additionally:
- Monitor network logs for unusual outbound connections from browser processes (egress filtering);
- Ensure Site Isolation is enabled within Chrome settings (sandbox validation); and
- Verify that all endpoints are running Chrome version 146.0.7680.75/76 or higher.
For business leaders
- Review security budgets to ensure they account for threat intelligence capabilities to stay ahead of rapid exploit cycles;
- Enforce a policy requiring the use of managed, up-to-date browsers for all corporate data access; and
- Educate staff - inform employees about the necessity of restarting their browsers to apply updates that may already have downloaded in the background.