In a stable channel update for desktop, Google said on Thursday it released updates for the Chrome browser to fix two high-severity vulnerabilities that have been exploited in the wild. Both carry a CVSS score of 8.8.
KEY FACTS
- Incident Two Chrome vulnerabilities exploited in the wild
- Vulnerabilities CVE-2026-3909 in Skia and CVE-2026-3910 in V8
- Severity CVSS score 8.8 for both
- Fix Update Chrome to 146.0.7680.75/76 on supported platforms
Both vulnerabilities were discovered on March 10, 2026.
CVE-2026-3909 is an out-of-bounds write in the Skia 2D graphics library that allows out-of-bounds memory access via a crafted HTML page. CVE-2026-3910 is an inappropriate implementation in the V8 JavaScript and WebAssembly engine that can allow arbitrary code execution inside a sandbox via a crafted HTML page.
Exploits for both vulnerabilities exist in the wild, according to the advisory. No technical details about how the issues are being abused or who is behind the attacks were released to limit additional abuse.
Users should update Chrome to versions 146.0.7680.75 and 146.0.7680.76 for Windows and macOS and 146.0.7680.75 for Linux. To apply updates go to More then Help then About Google Chrome and select Relaunch. Users of other Chromium based browsers should apply vendor updates when they are available.
WHY IT MATTERS
These are actively exploited zero-days in widely used browser components. Installing the available updates reduces the risk of compromise from web content that exploits the vulnerabilities.