Google shipped an emergency Chrome update on March 13, 2026. The patch fixes two zero-day vulnerabilities, both with a CVSS score of 8.8, that are being exploited in active attacks. The flaws affect Skia, Chrome's 2D graphics rendering library, and V8, its JavaScript and WebAssembly engine. Updated versions are 146.0.7680.75 for Windows and Linux, and 146.0.7680.76 for macOS.
CVE-2026-3909 is an out-of-bounds write in Skia. A remote attacker can trigger the flaw by luring a user to a crafted HTML page, corrupting memory and potentially executing arbitrary code or crashing the browser. Skia handles all visual rendering in Chrome, from web content to interface elements, making it a high-value target for exploit developers.
CVE-2026-3910 is an inappropriate implementation flaw in V8. The vulnerability allows an attacker to execute arbitrary code inside Chrome's sandbox through a malicious HTML page. V8 flaws are frequently chained with other exploits to escape the sandbox entirely and gain control of the underlying operating system.
Both vulnerabilities were discovered internally on March 10. Google shipped patches within 48 hours but has not disclosed who is behind the attacks, how widespread the campaigns are, or which targets have been affected. Exploitation details are withheld to prevent other threat actors from reverse-engineering the flaws before the patch reaches most users.
Chrome bugs found by Google are often targeted by commercial spyware vendors. V8 flaws are often targeted in sandbox escape attacks.
— Ionut Arghire
Chrome zero-days have a pattern of appearing in spyware operations. Google's Threat Analysis Group (TAG) reported many of the eight Chrome zero-days patched in 2025. TAG specializes in tracking government-backed spyware vendors who purchase or develop zero-day exploits for targeted surveillance. Google withholds exploitation details for new zero-days to prevent other threat actors from reverse-engineering the flaws before the patch reaches most users.
The March 13 flaws are the second and third Chrome zero-days of 2026. Google fixed the first, CVE-2026-2441, in mid-February. That bug was a use-after-free in Chrome's CSS font feature handling (CSSFontFeatureValuesMap) that allowed code execution through a crafted HTML page. Chrome 145.0.7632.75 patched it.
While Google relies heavily on advanced testing frameworks like AddressSanitizer and MemorySanitizer to catch these flaws internally, rapid user patching remains the most effective defense against active zero-day exploitation.
— GBHackers noted in its technical breakdown of the two CVEs
Google paid over $17 million to 747 researchers through its VRP in 2025. Neither of the new zero-days came through that program. Chrome for Android received a separate fix in version 146.0.76380.115.
Users should update Chrome immediately. Open the three-dot menu, navigate to Settings, then About Chrome. The browser will download and apply the patch on the next relaunch. BleepingComputer confirmed the update was available for manual download on Thursday, though automatic rollout may take days to reach all installations.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
