By rssfeeds-admin 
The flaws, tracked as CVE‑2026‑3909 and CVE‑2026‑3910, could allow attackers to execute malicious code on vulnerable systems.
The company announced the fixes as part of the Chrome Stable Channel update, which upgrades the browser to version 146.0.7680.75/76 for Windows and macOS and version 146.0.7680.75 for Linux. The update is being rolled out gradually over the coming days and weeks.
class="wp-block-heading" id="two-high-severity-zero-day-flaws">Two High-Severity Zero-Day Flaws
According to Google’s advisory, both vulnerabilities were discovered internally by the Google security team and reported on March 10, 2026.
Google confirmed that exploits targeting these vulnerabilities already exist in the wild, making immediate patching critical for users and organizations.
The first vulnerability, CVE‑2026‑3909, is an out‑of‑bounds write flaw in Skia, the graphics engine used by Chrome for rendering images and visual elements.
Out‑of‑bounds memory issues occur when a program writes data outside the allocated memory buffer.
Attackers can potentially exploit this behavior to corrupt memory and execute arbitrary code within the browser environment.
The second vulnerability, CVE‑2026‑3910, involves an inappropriate implementation issue in V8, Chrome’s high‑performance JavaScript engine.
V8 is responsible for executing JavaScript code within the browser, and vulnerabilities in this component are particularly dangerous because they can be triggered through malicious web content.
If successfully exploited, this flaw could allow attackers to manipulate browser processes, potentially enabling remote code execution or further system compromise.
Google has confirmed that both vulnerabilities are already being exploited in real‑world attacks. However, the company has not disclosed specific details about the exploitation techniques, threat actors involved, or attack campaigns.
This limited disclosure is intentional. Google restricts technical details about actively exploited vulnerabilities until most users receive the security update, preventing attackers from using the information to develop new exploits.
Zero‑day vulnerabilities are especially dangerous because they are exploited before security patches are widely available.
Attackers often use them in targeted campaigns against high‑value individuals, enterprises, journalists, or government organizations.
Google stated that many Chrome security vulnerabilities are identified through advanced automated testing tools and security technologies integrated into the Chromium development process. These include:
- AddressSanitizer for detecting memory corruption vulnerabilities
- MemorySanitizer for identifying uninitialized memory usage
- UndefinedBehaviorSanitizer for catching undefined code behavior
- Control Flow Integrity protects against control flow hijacking
- Fuzz testing tools such as libFuzzer and AFL
These tools help detect vulnerabilities early during development before they reach the stable release channel.
Mitigation and Update Recommendations
Users and organizations are strongly advised to update Chrome immediately to the latest version to protect against potential exploitation.
Security experts recommend the following actions:
- Update Chrome to version 146.0.7680.75 or later
- Restart the browser after updating to ensure patches are applied
- Enable automatic browser updates where possible
- Monitor systems for suspicious browser behavior or unexpected processes
Users can verify their Chrome version by navigating to Settings → About Chrome, which will automatically trigger an update check.
With both vulnerabilities confirmed as actively exploited, applying the latest Chrome update remains the most effective way to prevent potential compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Two New Google Chrome Zero-Day Vulnerabilities Actively Exploited for Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.