Skip to main content
Cyber News & CTI Reports :: 2026-03-12 | Google fixes two new Chrome zero-days exploited in attacks
Contact Page | Privacy Policy

2026-03-12 | Google fixes two new Chrome zero-days exploited in attacks

1. AI Summary

Google issued emergency Chrome updates fixing two actively exploited zero-days. CVE-2026-3909 (Skia out-of-bounds write) and CVE-2026-3910 (V8 inappropriate implementation) are patched in versions 146.0.7680.75/76.

2. IOCs

IOC Type Value Description Relevant MITRE ATT&CK Techniques
Vulnerability CVE-2026-3909 Out-of-bounds write weakness in Skia 2D graphics library allowing browser crash or code execution. T1203|T1068
Vulnerability CVE-2026-3910 Inappropriate implementation vulnerability in V8 JavaScript and WebAssembly engine. T1203|T1068

3. MITRE ATT&CK

Code Title
T1203 Exploitation for Client Execution: Memory corruption in Skia and V8 leads to code execution.
T1068 Exploitation for Privilege Escalation: Out-of-bounds write and implementation flaws allow privilege escalation.

4. Targets

Type Value
Sector Technology

5. Article Details

6. Original text

Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks. "Google is aware that exploits for both

CVE-2026-3909
&
CVE-2026-3910
exist in the wild," Google said in a security advisory published on Thursday. The first zero-day (
CVE-2026-3909
) stems from an out-of-bounds write weakness in Skia, an open-source 2D graphics library responsible for rendering web content and user interface elements, which attackers can exploit to crash the web browser or even gain code execution. The second one (
CVE-2026-3910
) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75). While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today. If you don't want to update your web browser manually, you can also have it check for updates automatically and install them at the next launch. ​Although Google found evidence that attackers are exploiting this zero-day flaw in the wild, the company didn't share further details regarding these incidents. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," it noted. These are the second and third actively exploited Chrome zero-days patched since the start of 2026. The first, tracked as CVE-2026-2441 and described as an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), was addressed in mid-February .

Last year, Google fixed a total of eight zero-days exploited in the wild , many of which were reported by Google's Threat Analysis Group (TAG), a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks. On Thursday, Google also revealed that it has paid over $17 million to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.