Google has issued emergency security patches for two high-severity zero-day vulnerabilities currently being exploited by threat actors, marking another critical security milestone for the world's most popular web browser.
The vulnerabilities, designated CVE-2026-3909 and CVE-2026-3910, affect Chrome browsers prior to version 146.0.7680.75. These patches arrive shortly after Google's release of 29 security fixes during March Patch Tuesday and a separate zero-day patch in February.
Security professionals are emphasizing the urgent need for immediate deployment of these updates across enterprise environments.
%20(1)%20(1).webp)
"If you're not managing browser patches, your odds of getting pwned are increasing daily," said David Shipley of Canadian-based security awareness training provider Beauceron Security.
The first vulnerability, CVE-2026-3910, stems from flawed implementation in Chrome's V8 JavaScript and WebAssembly engine. This flaw enables remote attackers to execute arbitrary code within a sandbox environment through specially crafted HTML pages.
The second vulnerability, CVE-2026-3909, involves an out-of-bounds write issue in Chrome's Skia graphics library. This security gap allows attackers to perform unauthorized memory access via malicious web pages, potentially exposing sensitive corporate information.
Following standard company protocol, Google has not disclosed detailed technical information about these vulnerabilities while users update their browsers with the security fixes.
Browser security has become increasingly critical as web browsers serve as primary attack vectors for cybercriminals. Recent research from Omdia for Palo Alto Networks revealed that 95% of organizations experienced security incidents originating from employee browsers within a 12-month period.
The severity of these latest vulnerabilities has prompted strong warnings from cybersecurity experts about the risks of delayed patching.
"With active exploitation already confirmed, organizations that delay updates risk exposing users to drive-by attacks delivered through compromised or malicious websites," noted Jack Bicer, director of vulnerability research at Action1.
Bicer recommended that administrators ensure automatic updates are enabled across enterprise endpoints, monitor for outdated browser versions, and consider implementing browser isolation technologies to reduce exposure to web-based attacks.
The impact extends beyond Chrome itself, as these vulnerabilities affect all Chromium-based browsers, including Microsoft Edge and other derivatives built on the same underlying engine.
Scott Caveza, senior staff research engineer at Tenable, emphasized that these zero-days should be prioritized by any organization running Chrome installations.
"We know attackers are opportunistic, and when they set their sights on one of the most widely installed browsers in the market, it's imperative that teams are taking action now to ensure updates are applied as soon as possible," he said.
While Google has not provided specific details about how these vulnerabilities are being exploited in the wild, Caveza noted that most browser-related attacks require victims to visit specially crafted websites, suggesting these exploits may be part of targeted campaigns.
The rapid succession of critical Chrome vulnerabilities underscores the importance of robust browser security management within enterprise environments. Organizations should verify their automatic update policies are functioning correctly and consider implementing additional security measures such as browser isolation technologies.
IT teams should prioritize immediate deployment of Chrome version 146.0.7680.75 or later across all managed devices to protect against these active threats.