Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google has released an out-of-band Chrome update to fix two high-severity zero-day vulnerabilities that are actively exploited in the wild. The update is now available for Windows, macOS and Linux.
“Google is aware that exploits exist for both CVE-2026-3909 and CVE-2026-3910,” Google said in a security notice published on Thursday.
Target versions: windows (146.0.7680.75), macos (146.0.7680.76), and linux (146.0.7680.75).
The two zero-day vulnerabilities
CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open source 2D graphics library that Chrome uses to render web content and user interface elements. Out-of-bounds write flaws in rendering components can allow attackers to crash the browser or achieve code execution.
CVE-2026-3910 is an inappropriate implementation vulnerability in V8, Chrome’s JavaScript and WebAssembly engine. Google has not released technical details about any of the flaws while the update is still rolling out to users.
Google discovered both vulnerabilities internally and released patches two days after the report.
How to install the Chrome emergency update
Chrome updates automatically, but the fix can be applied immediately by going to Settings > Help > About Google Chrome. The browser will check for and install the update, requiring a restart to apply it.
Google says the update could take days or weeks to reach all users through the standard rollout process.
Context and previous Chrome zero-day exploits
These are the second and third Chrome zero-days actively exploited and patched in 2026. The first, CVE-2026-2441, an iterator invalidation bug in CSSFontFeatureValuesMap, was fixed in mid-February. Google patched eight actively exploited Chrome zero-days throughout 2025.
Google has not shared details about the attacks that exploit these flaws and states that the details of the bug will remain restricted until the majority of users have applied the fix.
