The flaws, tracked as CVE‑2026‑3909 and CVE‑2026‑3910, could allow attackers to execute malicious code on vulnerable systems.
The company announced the fixes as part of the Chrome Stable Channel update, which upgrades the browser to version 146.0.7680.75/76 for Windows and macOS and version 146.0.7680.75 for Linux. The update is being rolled out gradually over the coming days and weeks.
According to Google’s advisory, both vulnerabilities were discovered internally by the Google security team and reported on March 10, 2026.
Google confirmed that exploits targeting these vulnerabilities already exist in the wild, making immediate patching critical for users and organizations.
The first vulnerability, CVE‑2026‑3909, is an out‑of‑bounds write flaw in Skia, the graphics engine used by Chrome for rendering images and visual elements.
Out‑of‑bounds memory issues occur when a program writes data outside the allocated memory buffer.
Attackers can potentially exploit this behavior to corrupt memory and execute arbitrary code within the browser environment.
The second vulnerability, CVE‑2026‑3910, involves an inappropriate implementation issue in V8, Chrome’s high‑performance JavaScript engine.
V8 is responsible for executing JavaScript code within the browser, and vulnerabilities in this component are particularly dangerous because they can be triggered through malicious web content.
If successfully exploited, this flaw could allow attackers to manipulate browser processes, potentially enabling remote code execution or further system compromise.
Google has confirmed that both vulnerabilities are already being exploited in real‑world attacks. However, the company has not disclosed specific details about the exploitation techniques, threat actors involved, or attack campaigns.
This limited disclosure is intentional. Google restricts technical details about actively exploited vulnerabilities until most users receive the security update, preventing attackers from using the information to develop new exploits.
Zero‑day vulnerabilities are especially dangerous because they are exploited before security patches are widely available.
Attackers often use them in targeted campaigns against high‑value individuals, enterprises, journalists, or government organizations.
Google stated that many Chrome security vulnerabilities are identified through advanced automated testing tools and security technologies integrated into the Chromium development process. These include:
These tools help detect vulnerabilities early during development before they reach the stable release channel.
Users and organizations are strongly advised to update Chrome immediately to the latest version to protect against potential exploitation.
Security experts recommend the following actions:
Users can verify their Chrome version by navigating to Settings → About Chrome, which will automatically trigger an update check.
With both vulnerabilities confirmed as actively exploited, applying the latest Chrome update remains the most effective way to prevent potential compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Two New Google Chrome Zero-Day Vulnerabilities Actively Exploited for Code Execution appeared first on Cyber Security News.
Universal Pictures’ and director Joseph Kosinski’s big screen reboot of Miami Vice has a new…
A significant supply chain attack targeting the official checkmarx/kics Docker Hub repository, where threat actors…
ZIONSVILLE, Ind. (WOWO) — A police drone helped authorities locate and take into custody a…
INDIANAPOLIS, Ind. (WOWO) — In a move toward healthcare transparency, Governor Mike Braun and the…
You ever had one of those days when Blackbeard boards your ship, shoots you, leaves…
You ever had one of those days when Blackbeard boards your ship, shoots you, leaves…
This website uses cookies.