GOOGLE issued an emergency Chrome 146 update to fix two zero-day vulnerabilities that were exploited in the wild, tracked as CVE-2026-3909 and CVE-2026-3910, both with a CVSS score of 8.8. According to Google’s advisory, exploits for these flaws exist in the wild, and CVE-2026-3909 is an out-of-bounds write defect in the Skia graphics library, while CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine.
The fixes arrived in Chrome versions 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux, with Chrome for Android updated to 146.0.76380.115.
The emergency update followed Chrome 146’s promotion to the stable channel two days earlier, which addressed 29 flaws across WebML, Web Speech, Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, WindowDialog, and more; Google also noted that it paid roughly $210,000 in bounty rewards to researchers for reporting the bugs, though final amounts for 10 vulnerabilities were not disclosed.
Written by Ionut Arghire, SecurityWeek reports these details to underscore the rapid response and ongoing risk from actively exploited Chrome vulnerabilities.