Google on Thursday released security updates for its Chrome web browser that address two high-severity vulnerabilities that have been reported to be exploited in the wild.
Here is the list of vulnerabilities:
CVE-2026-3909 (CVSS Score: 8.8) – An out-of-bounds write vulnerability in the Skia 2D graphics library allows remote attackers to perform out-of-bounds memory accesses via a crafted HTML page. CVE-2026-3910 (CVSS Score: 8.8) – Improper implementation vulnerability in the V8 JavaScript and WebAssembly engine allows remote attackers to execute arbitrary code in a sandbox via a crafted HTML page.
Both vulnerabilities were discovered and reported by Google itself on March 10, 2026. As is customary in these cases, details about how the issue is actually being exploited or who is behind the effort are not available. This is done to prevent other threat actors from exploiting the issue.
“Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild,” the company said.
This development comes less than a month after Google shipped a fix for a high-severity use-after-free bug in Chrome’s CSS component (CVE-2026-2441, CVSS score: 8.8) that was also exploited as a zero-day. Google has applied a total of three patches to Chrome zero-day exploits that have been actively weaponized since the beginning of this year.
For optimal protection, we recommend updating your Chrome browser to version 146.0.7680.75/76 for Windows and Apple macOS and 146.0.7680.75 for Linux. To ensure the latest updates are installed, users can[詳細]>[ヘルプ]>[Google Chrome について]Move to[再起動]Select.
Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to apply fixes when they become available.
Source link
