GOOGLE fixed two Chrome zero-days that were being exploited in the wild, affecting the Skia and V8 components. The vulnerabilities are CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation in V8, both rated with a CVSS score of 8.8. Both issues were discovered and reported by Google on 10 March 2026, and Google says exploits for them exist in the wild.
For users seeking protection, Google recommends updating to Chrome versions 146.0.7680.75/76 on Windows and macOS, and 146.0.7680.75 on Linux, via More > Help > About Google Chrome and Relaunch. The company notes that details about who is exploiting the flaws in the wild are not being disclosed to prevent further use by threat actors.