Almost exactly one month after its last zero-day patch, Google has released more updates for Chrome, this time addressing two zero-day exploits simultaneously. The vulnerabilities affected billions of users worldwide, and a critical update has been issued. One exploit involved the Skia Graphics engine, while the other targeted the JavaScript V8 engine. Google confirmed that both exploits had been actively exploited by threat actors.
The Exploits
The first vulnerability addressed by Google is identified as CVE-2026-3909. It affects the Skia engine, a 2D graphics library in Chrome responsible for rendering UI elements. This out-of-bounds write vulnerability was actively exploited in the wild. It allowed a malicious website to corrupt the browser’s memory, potentially enabling an attacker to execute arbitrary code by bypassing the browser’s security sandbox.
The second zero-day exploit, CVE-2026-3910, involves an inappropriate implementation of the V8 JavaScript engine and WebAssembly. Like the first, it was exploited in the wild and required the user to visit a malicious website. However, in this case, the attack didn’t rely on memory corruption but instead allowed the attacker to run malicious code directly within the browser’s sandbox. While this is already a serious risk, potentially enabling attackers to steal sensitive data like cookies, session tokens, and login information, it could also provide a gateway to exploit other vulnerabilities, granting deeper access outside the sandboxed environment.
Two Birds With One Stone
Both exploits were announced consecutively on March 12th and 13th and were patched immediately. This news may come as a slight shock to some, especially considering that exactly one month ago, another major zero-day affecting billions of users and actively exploited in the wild was patched in Chrome. Chrome users have been advised to update their browsers to the latest version. As mentioned, Google made it explicitly clear that both exploits had been detected in the wild, meaning criminals are likely actively exploiting them.
Conclusion
While we recommend using an open-source browser, those who prefer and use Chrome must ensure their browsers are up to date, as these vulnerabilities are highly critical. Users can check for available updates in the "Help > About Google Chrome" section. If you're interested in more technical details about how these exploits work, we suggest looking up the two CVE codes provided.
To be protected, ensure you are running version 146.0.7680.75 (Windows & Linux) or 146.0.7680.76 (macOS) or higher.
0 Comments