Google fixes two new Chrome zero-days exploited in attacks

Google Releases Emergency Chrome Updates to Patch Two Zero-Day Exploits Actively Used in Attacks

In a move that underscores the ongoing battle between tech giants and cybercriminals, Google has rolled out emergency security updates for its Chrome browser to address two high-severity vulnerabilities that are currently being exploited in the wild. The patches, released on Thursday, come as part of Google’s ongoing commitment to user security and its rapid response to emerging threats.

The two vulnerabilities, tracked as CVE-2026-3909 and CVE-2026-3910, represent serious flaws that could allow attackers to compromise user systems through the browser. Google’s security team discovered these exploits and moved quickly to develop and deploy fixes, demonstrating the critical importance of timely security updates in today’s threat landscape.

CVE-2026-3909 is described as an out-of-bounds write vulnerability in Skia, the open-source 2D graphics library that Chrome uses for rendering web content and user interface elements. This type of vulnerability is particularly dangerous because it can allow attackers to write data outside the intended memory boundaries, potentially leading to crashes or, worse, arbitrary code execution. In practical terms, this means a malicious website could potentially take control of a victim’s browser and, by extension, their computer.

The second vulnerability, CVE-2026-3910, involves an inappropriate implementation issue in V8, Chrome’s JavaScript and WebAssembly engine. The V8 engine is fundamental to Chrome’s operation, as it compiles and executes JavaScript code that powers modern web applications. A flaw in this component could allow attackers to bypass security measures or execute malicious code under the guise of legitimate web content.

Google’s response to these threats was swift and decisive. The company patched both vulnerabilities within just two days of discovery for users in the Stable Desktop channel. The updates are being rolled out across different operating systems, with version 146.0.7680.75 for Windows and Linux, and version 146.0.7680.76 for macOS users. This rapid response time is crucial because the longer a vulnerability remains unpatched, the more time attackers have to exploit it.

While Google notes that the update could take days or weeks to reach all users due to the staged rollout process, BleepingComputer confirmed that the patches were immediately available when they checked for updates. This suggests that most users should be able to secure their browsers promptly by simply checking for and installing the latest updates.

For those who prefer not to manually check for updates, Chrome offers an automatic update feature that can be enabled in the browser settings. This ensures that users receive critical security patches as soon as they become available, without requiring manual intervention. Given the severity of these zero-day exploits, enabling automatic updates is strongly recommended for all Chrome users.

It’s worth noting that Google has been deliberately vague about the specific details of these attacks, citing the need to protect users while the majority of them update their browsers. The company stated that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.” This approach is standard practice in the cybersecurity industry, as it prevents potential attackers from gaining information that could help them develop new exploits before users have had a chance to patch their systems.

These two zero-day vulnerabilities mark the second and third actively exploited Chrome flaws patched since the beginning of 2026. The first, CVE-2026-2441, was addressed in mid-February and involved an iterator invalidation bug in CSSFontFeatureValuesMap, Chrome’s implementation of CSS font feature values. This pattern of multiple zero-day exploits in quick succession highlights the persistent and evolving nature of browser-based threats.

Looking at the broader context, Google’s track record on addressing zero-day vulnerabilities is impressive but also revealing. In the previous year alone, the company fixed a total of eight zero-days that were being exploited in the wild. Many of these were reported by Google’s Threat Analysis Group (TAG), a specialized team of security researchers dedicated to tracking and identifying zero-day exploits used in sophisticated attacks, including those deployed by state-sponsored actors and commercial spyware vendors.

The prevalence of these exploits underscores the critical role that browsers play in modern computing. As the primary gateway to the internet for most users, browsers have become prime targets for attackers seeking to compromise systems, steal data, or conduct surveillance. The fact that multiple zero-days are discovered and exploited each year demonstrates that even the most widely-used and well-maintained software is not immune to security vulnerabilities.

In addition to the technical aspects of these security updates, Google also highlighted its commitment to the broader security research community. On the same day it announced the Chrome patches, the company revealed that it had paid over $17 million to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025. This bug bounty program incentivizes ethical hackers to discover and report vulnerabilities before they can be exploited by malicious actors, creating a symbiotic relationship between the tech industry and the security research community.

The scale of Google’s VRP payouts is noteworthy. At an average of approximately $22,750 per researcher, it demonstrates the significant investment that major tech companies are willing to make in proactive security measures. This approach not only helps identify vulnerabilities before they can be exploited but also fosters a collaborative relationship with the security research community, which can provide valuable insights into emerging threats and attack techniques.

As users navigate this ever-changing security landscape, several key takeaways emerge. First, the importance of keeping software up to date cannot be overstated. These emergency patches demonstrate that even the most widely-used applications can harbor critical vulnerabilities that require immediate attention. Second, the role of specialized security teams within tech companies has never been more crucial. Google’s rapid response to these threats is a testament to the value of having dedicated experts monitoring and addressing security issues around the clock.

Finally, the ongoing battle between tech companies and cybercriminals highlights the need for continued investment in cybersecurity research and development. As attackers become more sophisticated, so too must the defenses employed by software developers and security professionals. The fact that Google is able to identify and patch these vulnerabilities so quickly is a positive sign, but it also serves as a reminder that the work of securing our digital infrastructure is never truly finished.

For Chrome users, the message is clear: update your browser immediately if you haven’t already done so. For the broader tech community, these developments underscore the ongoing importance of robust security practices, rapid response to emerging threats, and continued collaboration between industry and the security research community. As we move further into 2026, it’s likely that we’ll see more of these emergency patches as the cat-and-mouse game between defenders and attackers continues to evolve.

zero-day, Chrome update, Google security, browser vulnerability, CVE-2026-3909, CVE-2026-3910, Skia graphics library, V8 JavaScript engine, emergency security patch, browser exploit, cybersecurity threat, TAG Threat Analysis Group, Vulnerability Reward Program, bug bounty, out-of-bounds write, inappropriate implementation, active exploitation, security advisory, software update, cyber attack prevention

Act now! Chrome users under attack, Update immediately to stay safe, Critical security flaw exposed, Don’t wait – patch your browser now, Zero-day nightmare for Chrome users, Google races to fix browser bombs, Your browser could be compromised RIGHT NOW, Security emergency: Chrome update mandatory, Hackers exploiting Chrome – update or else, Two dangerous bugs hit Chrome users worldwide, Google’s urgent call to action for Chrome users, The clock is ticking on your browser’s security, Don’t be the next victim – update Chrome today, Browser security apocalypse narrowly averted, Chrome users: Check for updates IMMEDIATELY, Google’s security team battles cyber criminals, Your digital life at risk without this update, The silent threat hiding in your browser, Chrome’s race against time to protect users, Security researchers earn millions uncovering threats, Tech giants’ ongoing war against zero-days, The price of staying safe online keeps rising, Why your browser is a prime target for hackers, The hidden dangers of everyday web browsing, How cybercriminals exploit innocent-looking websites, The arms race between hackers and browser makers, What happens when your browser becomes a weapon, The economics of cybersecurity: Millions paid for bug reports, The human cost of zero-day vulnerabilities, Behind the scenes of emergency software patches, The psychology of phishing and browser exploits, Why automatic updates might save your digital life, The geopolitical implications of browser-based espionage, How state actors weaponize software vulnerabilities, The ethics of vulnerability disclosure and bug bounties, The future of browser security in an AI-driven world, What Chrome’s emergency patches mean for internet safety, The role of open-source software in modern cybersecurity, How graphics libraries became a security nightmare, The evolution of JavaScript engines and their vulnerabilities, Why two days can make all the difference in cybersecurity, The economics of cybercrime: Is it worth the risk?, How browsers became the new battleground for digital warfare, The invisible war happening inside your computer, What a $17 million bug bounty program really buys you, The unsung heroes: Security researchers who hunt for bugs, How one line of code can bring down millions of browsers, The delicate balance between transparency and security, Why your grandma’s computer is a target for hackers, The butterfly effect: How one vulnerability affects millions, Chrome’s security team: The first line of defense, The anatomy of a zero-day exploit from discovery to patch, How cybercriminals stay one step ahead of security teams, The true cost of a data breach in the digital age, Why we’ll never be 100% secure online, The paradox of progress: Better tech, bigger risks, How to protect yourself when even Google gets hacked, The psychology of fear in cybersecurity marketing, Why panic-selling software updates can be counterproductive, The role of artificial intelligence in finding and fixing bugs, How browser wars impact your digital security, The environmental impact of constant software updates, Why your smart fridge might be the weakest link, The future of authentication in a post-password world, How quantum computing could change cybersecurity forever, The ethics of government backdoors in popular software, Why cybersecurity is everyone’s responsibility, not just IT’s, How to spot a phishing attempt in a post-trust world, The role of education in preventing cyber attacks, Why cyber insurance is becoming a necessity, not a luxury, How to create a culture of security in your organization, The surprising ways hackers test their exploits before launch, Why the dark web is a marketplace for your digital fears, How to recover from a browser-based security incident, The psychological toll of living in a digital panopticon, Why paranoia might be the best defense in the digital age, How to balance convenience and security in your daily life, The role of legislation in shaping cybersecurity practices, Why international cooperation is crucial in fighting cybercrime, How to prepare for the next big cybersecurity crisis, The future of work in an increasingly hostile digital landscape, Why your digital footprint might be your biggest vulnerability, How to build resilience in the face of constant cyber threats, The role of ethics in cybersecurity decision-making, Why cybersecurity is as much about people as it is about technology, How to stay informed without succumbing to security fatigue, The importance of redundancy in digital security measures, Why the human element remains the weakest link in cybersecurity, How to create a personal cybersecurity action plan, The role of mindfulness in maintaining digital hygiene, Why cybersecurity awareness months might do more harm than good, How to foster a security-first mindset in the next generation, The surprising connections between physical and digital security, Why cybersecurity is not just an IT problem, but a business problem, How to measure the ROI of cybersecurity investments, The role of psychology in designing effective security warnings, Why the best defense might be a good offense in cybersecurity, How to create a culture of continuous improvement in security, The importance of diversity in cybersecurity teams, Why storytelling might be the key to better security practices, How to balance transparency and security in crisis communication, The role of humor in making cybersecurity more approachable, Why cybersecurity should be a board-level concern, How to create effective security training that doesn’t bore people, The surprising ways everyday objects can be used in cyber attacks, Why the sharing economy has implications for cybersecurity, How to build security into the design process from the start, The role of ethics in AI-powered cybersecurity tools, Why the next big threat might come from an unexpected source, How to create a personal cybersecurity risk assessment, The importance of regular security audits for individuals and businesses, Why the human firewall is just as important as the digital one, How to stay ahead of the curve in an ever-evolving threat landscape,