Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Multiple Google Chrome Zero-Day Vulnerabilities Exploit in the Wild
March 13, 2026
Rewterz
Splunk RCE Lets Attackers Run Arbitrary Shell Commands
March 13, 2026

Chrome Zero-Day Exploited in the Wild

Severity

High

Analysis Summary

Google Chrome has released an urgent security update after confirming that two high-severity zero-day vulnerabilities are being actively exploited in the wild. The update upgrades the browser to version 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux, with the rollout expected to reach users gradually over the coming days. Both vulnerabilities were discovered internally by Google’s security team on March 10, 2026, and were assigned High severity ratings, indicating a significant threat to users worldwide if left unpatched.

The first vulnerability, CVE-2026-3909, is an out-of-bounds write flaw in Skia, the open-source 2D graphics engine used in Chrome’s rendering pipeline. Out-of-bounds write vulnerabilities allow attackers to overwrite memory outside the intended buffer, which can lead to arbitrary code execution, application crashes, or system compromise. In a browser environment, such flaws can potentially be abused to bypass sandbox protections and run malicious code on the victim’s machine.

The second vulnerability, CVE-2026-3910, affects V8 JavaScript Engine, Chrome’s high-performance engine responsible for executing JavaScript and WebAssembly. The issue stems from an inappropriate implementation, which could allow attackers to craft a malicious webpage that triggers the flaw when visited. Since JavaScript is executed during normal browsing activity, vulnerabilities in V8 are highly attractive to attackers and can provide a direct pathway for browser-level code execution.

Google has confirmed that exploitation for both vulnerabilities is already occurring in the wild, making immediate patching essential. Technical details of the flaws remain restricted until a large portion of users update their systems to prevent further abuse. Users are advised to manually update Chrome via Menu → Help → About Google Chrome and restart the browser, while organizations managing enterprise environments should prioritize deploying the patched versions immediately rather than waiting for the automatic rollout, especially in high-risk environments.

Impact

  • Code Execution
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2026-3909

  • CVE-2026-3910

Remediation

  • Immediately update Google Chrome to version 146.0.7680.75/76 (Windows/macOS) or 146.0.7680.75 (Linux) to patch the vulnerabilities CVE-2026-3909 and CVE-2026-3910.
  • Manually check for updates by navigating to Menu ? Help ? About Google Chrome, then restart the browser to complete the installation.
  • Enable automatic updates in Chrome to ensure future security patches are applied as soon as they are released.
  • Apply enterprise patch management to rapidly deploy the latest Chrome version across all organizational systems.
  • Restrict access to untrusted or suspicious websites that could host malicious scripts designed to exploit browser vulnerabilities.
  • Use endpoint security and browser protection tools to detect and block malicious webpages or exploit attempts.
  • Keep operating systems and other applications updated to reduce the risk of chained exploits that could bypass browser protections.