Comprehensive Threat Exposure Management Platform
Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the ReportGoogle has issued urgent security updates for Google Chrome after confirming two high-severity vulnerabilities, CVE-2026-3909 and CVE-2026-3910, both of which have been exploited in real-world attacks. These Google Chrome zero-day vulnerabilities affect critical browser components including the Skia graphics library and the V8 JavaScript engine, enabling attackers to cause memory corruption or execute malicious code within Chrome’s sandbox environment through specially crafted webpages. Notably, CVE-2026-3910 is currently being actively exploited in the wild, representing an immediate threat to organizations and individual users worldwide.
The first vulnerability, CVE-2026-3909, is an out-of-bounds write vulnerability affecting Skia, the graphics library responsible for rendering most visual elements in Google Chrome including images, text, and vector graphics. The flaw occurs due to insufficient bounds checking during memory write operations, allowing threat actors to write data beyond the limits of allocated memory by hosting specially crafted HTML pages that trigger the vulnerable rendering process. Simply visiting or being redirected to a malicious page could activate the exploit, making this a drive-by compromise vulnerability requiring no user interaction beyond normal web browsing. The vulnerability impacts Chrome versions before 146.0.7680.75 on Windows, macOS, and Linux platforms.
Significantly, Google has temporarily removed the security fix for CVE-2026-3909 from the Chrome 146.0.7680.75/76 release and plans to address it in a future update, meaning this actively exploited vulnerability remains unpatched at the time of this advisory. The second flaw, CVE-2026-3910, affects V8, the JavaScript and WebAssembly engine used by Chrome to execute web code. Classified as an inappropriate implementation vulnerability, the issue stems from a flaw in how V8 enforces certain security constraints, allowing attackers to achieve arbitrary code execution within Chrome’s sandbox environment through a specially crafted webpage.
While the Chrome sandbox restricts direct system access, vulnerabilities like CVE-2026-3910 are frequently used as the initial step in more complex exploit chains, where threat actors combine them with additional sandbox escape vulnerabilities to compromise the underlying system completely. Users should immediately update Chrome to version 146.0.7680.75/76 on Windows and macOS, or 146.0.7680.75 on Linux, where the fix for CVE-2026-3910 has already been applied, while remaining vigilant for the forthcoming patch for CVE-2026-3909.
Google has issued urgent security updates to address two high-severity vulnerabilities affecting the Google Chrome browser, both of which have already been exploited in real-world attacks by sophisticated threat actors. The flaws, tracked as CVE-2026-3909 and CVE-2026-3910, highlight how widely used browser components remain targeted as entry points for sophisticated cyber operations and demonstrate the ongoing challenge of securing complex software against zero-day exploitation.
The first vulnerability, CVE-2026-3909, is an out-of-bounds write vulnerability affecting Skia, the powerful graphics library that renders most visual elements in Google Chrome including images, text, and vector graphics. The vulnerability occurs due to insufficient bounds checking during memory write operations, allowing malicious actors to write data beyond the limits of allocated memory regions, potentially corrupting adjacent memory structures and enabling code execution or information disclosure.
A threat actor can exploit this weakness by hosting a specially crafted HTML page that triggers the vulnerable rendering process within the Skia graphics library. Simply visiting or being redirected to such a malicious page could activate the exploit without requiring any additional user interaction, making this a particularly dangerous drive-by compromise vulnerability. The vulnerability impacts Chrome versions before 146.0.7680.75 on Windows, macOS, and Linux operating systems.
Critically, Google has temporarily removed the security fix for CVE-2026-3909 from the Chrome 146.0.7680.75/76 release and plans to address it in a future update, meaning this actively exploited zero-day vulnerability remains unpatched at the time of this advisory publication. Organizations and users should monitor the Chrome Releases blog closely for the forthcoming patch and deploy it immediately upon availability.
The second flaw, CVE-2026-3910, affects V8, the high-performance JavaScript and WebAssembly engine used by Google Chrome to execute web code and power modern web applications. Classified as an inappropriate implementation vulnerability, the security issue stems from a fundamental flaw in how the V8 engine enforces certain critical security constraints during code execution.
By exploiting this weakness through a specially crafted webpage containing malicious JavaScript code, a threat actor could achieve arbitrary code execution within Chrome’s sandbox environment. While the Chrome sandbox is designed to restrict direct system access and limit the impact of security vulnerabilities, sandbox vulnerabilities like CVE-2026-3910 are frequently used as the initial step in more complex multi-stage exploit chains. In these sophisticated attacks, threat actors combine sandbox compromise vulnerabilities with additional sandbox escape vulnerabilities to break out of the restricted environment and compromise the underlying operating system completely.
To mitigate potential risks from these actively exploited vulnerabilities, users and organizations should immediately update Google Chrome to version 146.0.7680.75/76 on Windows and macOS platforms, or version 146.0.7680.75 on Linux systems, where the security fix for CVE-2026-3910 has already been applied. Updates can be installed by navigating to More → Help → About Google Chrome in the browser menu and relaunching the browser once the update download is completed.
Keeping browsers updated remains a critical defense mechanism, particularly as actively exploited zero-day vulnerabilities continue to surface in widely used web technologies. The presence of two actively exploited Chrome vulnerabilities simultaneously underscores the importance of rapid patch deployment and the ongoing arms race between security researchers, software vendors, and sophisticated threat actors targeting browser vulnerabilities.
Install the latest stable Google Chrome release, specifically version 146.0.7680.75/76 for Windows and macOS, or version 146.0.7680.75 for Linux, to remediate CVE-2026-3910. Users can navigate to More > Help > About Google Chrome to trigger the automatic update process and must relaunch the browser to apply the security patch. This update does not address CVE-2026-3909, so continued vigilance and rapid patching of subsequent releases is essential.
Since Google has confirmed that the security fix for CVE-2026-3909 has been deferred to a future Chrome update, organizations should closely monitor the Chrome Releases blog and their enterprise patch management systems for the forthcoming release. Once the CVE-2026-3909 patch becomes available, it should be prioritized for immediate deployment across all Chrome installations due to active exploitation.
Organizations and users relying on Chromium-derived browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should apply the corresponding security updates from those vendors as soon as they become available, as these browsers share the same vulnerable Skia graphics library and V8 JavaScript engine components. Coordinate with browser vendors to ensure timely patch deployment across all Chromium-based browser deployments.
For high-value or high-risk user segments including executives, system administrators, and users with access to sensitive data, consider implementing browser isolation solutions or restricting access to untrusted web content to reduce exposure to drive-by exploitation scenarios that leverage these vulnerabilities. Remote browser isolation technologies can provide an additional security layer by executing web content in isolated environments separate from endpoint systems.
The Google Chrome vulnerability exploitation employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including initial access through drive-by compromise when victims visit malicious or compromised websites, execution through exploitation for client execution and command and scripting interpreter abuse, and resource development through obtaining capabilities by acquiring or discovering vulnerabilities for use in attacks.
The threat advisory references the official Google Chrome Releases blog announcing the stable channel update for desktop platforms. This reference provides additional technical information and the official patch download location for security teams implementing remediation measures.
Get through updates and upcoming events, and more directly in your inbox