GOOGLE has released an out-of-band security update for Chrome desktop that patches two high‑severity zero‑day vulnerabilities that were under active attack. Both bugs can be exploited remotely and require only that a user visits a malicious website, with the attack complexity described as low and the real-world risk high. The latest safe versions are 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux, and users on 146.0.7680.75 or later are protected from these vulnerabilities.
To update, open the More menu, go to Settings > About Chrome, and restart the browser when prompted; manual updates are also possible via the guide linked in Malwarebytes. The two flaws are identified as CVE‑2026‑3909 in Skia and CVE‑2026‑3910 in the V8 engine, with Google noting they were discovered and fixed internally and patches landed within roughly two days of reporting.
According to the article, Skia and V8 are prime targets because they sit directly on the path between untrusted web content and the underlying system, and the piece also notes that exploit chains have been used by threat actors and spyware vendors.