GOOGLE has released security updates for two high-severity Chrome flaws that have been exploited in the wild, tracked as CVE-2026-3909 and CVE-2026-3910. Google experts found both vulnerabilities on 10 March 2026, and the company notes that exploits exist in the wild.
CVE-2026-3909 is an out-of-bounds write in the Skia 2D graphics library, enabling memory corruption via a specially crafted HTML page, while CVE-2026-3910 concerns the V8 JavaScript/WebAssembly engine, allowing remote code execution within the browser sandbox through a malicious HTML page. The Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux, with a broader rollout planned in the coming days and weeks, according to advisory.
Earlier in February 2026, Google also addressed CVE-2026-2441, another high-severity Chrome zero-day, which was already being exploited in real-world attacks.