Full Report
Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks. [...]
Analysis Summary
# Vulnerability: Emergency Security Updates for Chrome Zero-Day Exploits
## CVE Details
- **CVE ID:** CVE-2026-3909, CVE-2026-3910
- **CVSS Score:** N/A (High Severity per Google advisory)
- **CWE:**
- **CVE-2026-3909:** CWE-787 (Out-of-bounds Write)
- **CVE-2026-3910:** CWE-684 (Inappropriate Implementation)
## Affected Systems
- **Products:** Google Chrome Browser
- **Versions:** Versions prior to 146.0.7680.75/.76
- **Configurations:** Desktop versions including Windows, macOS, and Linux.
## Vulnerability Description
This update addresses two distinct high-severity flaws:
- **CVE-2026-3909 (Skia):** An out-of-bounds write flaw in the Skia 2D graphics library. This library renders web content and UI elements. A successful exploit could allow an attacker to trigger a browser crash or achieve remote code execution (RCE).
- **CVE-2026-3910 (V8 Engine):** An "inappropriate implementation" flaw within the V8 JavaScript and WebAssembly engine. This type of flaw typically relates to how the engine handles script execution, potentially leading to memory corruption or bypasses.
## Exploitation
- **Status:** Exploited in the wild (Zero-day).
- **Complexity:** Undisclosed (Likely Medium to High given the components).
- **Attack Vector:** Network (Remote via malicious web content).
## Impact
- **Confidentiality:** High (Potential for data theft via code execution).
- **Integrity:** High (Potential for unauthorized modifications).
- **Availability:** High (Can lead to application crashes/Denial of Service).
## Remediation
### Patches
Google has released the following stable channel updates:
- **Windows:** 146.0.7680.75
- **Linux:** 146.0.7680.75
- **macOS:** 146.0.7680.76
### Workarounds
No formal workarounds are provided by the vendor. Users are advised to update their browsers immediately to the patched versions listed above.
## Detection
- **Indicators of Compromise:** Currently, Google is restricting access to specific bug details and IOCs until a majority of users have updated to prevent further exploitation.
- **Detection methods:** Organizations should monitor for outdated Chrome versions in their environment and audit logs for unusual browser crashes or unauthorized process spawning from Chrome.
## References
- **Vendor Advisory:** [hxxps://chromereleases.googleblog[.]com/2026/03/stable-channel-update-for-desktop_12.html]
- **Original Report:** [hxxps://www.bleepingcomputer[.]com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/]
- **CWE Reference:** [hxxps://cwe.mitre[.]org/data/definitions/787.html]