Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8

On Thursday, Google released security updates for its Chrome web browser to fix two serious security holes that it said have been used in the wild This article explores exploits cve 2026. . The following is a list of vulnerabilities: CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that lets a hacker from afar access memory outside of the bounds of a crafted HTML page. CVE-2026-3910 (CVSS score: 8.8) is a flaw in the V8 JavaScript and WebAssembly engine that lets a remote attacker run any code inside a sandbox using a specially crafted HTML page.

Google found and reported both of these security holes on March 10, 2026.

As is usual in these cases, there are no details about how the problems are being used in the wild or who is behind the efforts. This is done to keep other threat actors from taking advantage of the problems. "Google knows that there are exploits for both CVE-2026-3909 and CVE-2026-3910 in the wild," the company said.

This news comes less than a month after Google sent out fixes for a serious use-after-free bug in Chrome's CSS component (CVE-2026-2441, CVSS score: 8.8) that had also been used as a zero-day. Since the beginning of the year, Google has fixed three actively weaponised Chrome zero-days.

To get the best protection, users should update their Chrome browser to Windows and Apple macOS versions 146.0.7680.75/76 and Linux version 146.0.7680.75. Users can go to More > Help > About Google Chrome and click Relaunch to make sure they have the most recent updates. People who use other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as soon as they are available.