Google fixed two new actively exploited flaws in the Chrome browser

AndyC 14 March 2026

Google fixed two new actively exploited flaws in the Chrome browser

Google fixed two new actively exploited flaws in the Chrome browser

Google fixed two new actively exploited flaws in the Chrome browser

Google fixed two new actively exploited flaws in the Chrome browser

Pierluigi Paganini
March 13, 2026

Google addressed two high-severity vulnerabilities in the Chrome browser that have been exploited in attacks in the wild.

Google has released security updates to address two high-severity vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, in the Chrome browser. The company is aware of attacks in the wild exploiting both flaws.

“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.” reads the advisory published by the tech giant.

Google experts discovered both vulnerabilities on March 10, 2026. As usual, the company did not disclose details about the attacks exploiting these flaws or the threat actors involved.

Below are the descriptions for these vulnerabilities:

  • CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library that lets a remote attacker trigger memory corruption by tricking a user into opening a specially crafted HTML page.
  • CVE-2026-3910 (CVSS score: 8.8) – Flaw in the implementation of the V8 JavaScript/WebAssembly engine that lets a remote attacker run arbitrary code within the browser sandbox using a maliciously crafted HTML page.

The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux. The update will roll out over the coming days and weeks. A full list of changes in this build is available in the log.

In mid-February, Google released urgent security updates to address another high-severity zero-day vulnerability, tracked as CVE-2026-2441 (CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks. The flaw is a use-after-free bug in the browser’s CSS component.

It was the first actively exploited Chrome zero-day fixed in 2026, after eight similar flaws were patched in 2025. An attacker could exploit the flaw to compromise affected systems. The issue was discovered and responsibly reported by security researcher Shaheen Fazim on February 11, 2026.

Google has confirmed that an exploit for CVE-2026-2441 exists in the wild, but has not shared details about how it is being used or which threat actor is behind the exploitation of the flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , ,

More Stories

US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet

US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet

AndyC 14 March 2026
AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

AndyC 14 March 2026
Beyond File Servers: Securing Unstructured Data in the Era of AI

Beyond File Servers: Securing Unstructured Data in the Era of AI

AndyC 14 March 2026
Zero Trust in the Real World: A CISO’s Guide to Getting it Done

Zero Trust in the Real World: A CISO’s Guide to Getting it Done

AndyC 13 March 2026
Building Trust in AI SOC Analyst Solutions: A UK and EU CISO Perspective

Building Trust in AI SOC Analyst Solutions: A UK and EU CISO Perspective

AndyC 13 March 2026
Apple issues emergency fixes for Coruna flaws in older iOS versions

Apple issues emergency fixes for Coruna flaws in older iOS versions

AndyC 13 March 2026

You may have missed

US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet

US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet

AndyC 14 March 2026
Top 5 AI Access Risks for CISOs and How AI Governance Closes the Gaps

AI Has Given You Two New Problems – And Identity Governance Is the Only Place They Meet

AndyC 14 March 2026
Top 5 AI Access Risks for CISOs and How AI Governance Closes the Gaps

How to Govern AI Access to ERP and Financial Systems

AndyC 14 March 2026
Randall Munroe’s XKCD ‘Installation’

Randall Munroe’s XKCD ‘Installation’

AndyC 14 March 2026
Adobe CEO steps down after 18 years

European companies warn EU leaders: reduced reliance on US tech could hurt profitability

AndyC 14 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.