Full Report
Google Chrome security advisory (AV26-235)
Analysis Summary
# Vulnerability: Critical Out-of-Band Update for Google Chrome Desktop
## CVE Details
- **CVE ID:** CVE-2026-3909 and CVE-2026-3910
- **CVSS Score:** N/A (Google does not typically release internal CVSS scores immediately; however, these are treated as **High/Critical** due to active exploitation)
- **CWE:** Not specified in advisory (Commonly associated with Memory Corruption or Use-After-Free in the Chrome engine)
## Affected Systems
- **Products:** Google Chrome for Desktop
- **Versions:**
- Windows: Versions prior to 146.0.7680.75/76
- macOS: Versions prior to 146.0.7680.75/76
- Linux: Versions prior to 146.0.7680.75
- **Configurations:** Default installations of the Stable Channel browser.
## Vulnerability Description
While the specific technical internals (the "underlying bug") were not disclosed in the high-level advisory to prevent further exploit development, these vulnerabilities typically involve memory safety issues within the V8 JavaScript engine or the Blink rendering engine that allow for remote code execution (RCE) within the browser sandbox.
## Exploitation
- **Status:** **Exploited in the wild.** Google has confirmed that exploits for both CVE-2026-3909 and CVE-2026-3910 exist and are being actively used by threat actors.
- **Complexity:** Medium (Requires specialized exploit chain)
- **Attack Vector:** Network (Typically via a specially crafted malicious website)
## Impact
- **Confidentiality:** High (Potential for data theft and session hijacking)
- **Integrity:** High (Potential for unauthorized modification of browser data)
- **Availability:** High (Potential for application crashes)
## Remediation
### Patches
Update Google Chrome to the following versions or later:
- **Windows/Mac:** 146.0.7680.75 or 146.0.7680.76
- **Linux:** 146.0.7680.75
### Workarounds
- There are no viable workarounds for these vulnerabilities. Users are strongly advised to update the browser immediately.
- Disabling unnecessary plugins and JavaScript may reduce the attack surface until the patch is applied.
## Detection
- **Indicators of Compromise:** Unusual browser crashes or unauthorized outgoing network requests to suspicious domains.
- **Detection Methods:**
- Verify browser version via `chrome://settings/help`.
- Use Enterprise Management tools (GPO/SCCM) to audit Chrome versions across the fleet.
## References
- Google Chrome Releases Blog: hxxps[://]chromereleases[.]googleblog[.]com/2026/03/stable-channel-update-for-desktop_12[.]html
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/google-chrome-security-advisory-av26-235