CRITICAL: Google Patches Two Chrome Zero-Days Under Active Attack — Update Your Browser Now

If you needed a reminder that your browser is the most targeted piece of software on your machine, here it is. Google just dropped emergency patches for two high-severity Chrome vulnerabilities that attackers are actively exploiting in the wild. That makes three zero-days patched in Chrome since January, and we're not even through the first quarter of 2026.

The two flaws, tracked as CVE-2026-3909 and CVE-2026-3910, hit at the heart of how Chrome renders content and executes code. The first vulnerability lives in Skia, the open-source 2D graphics library that handles everything you see on screen, from fonts and images to UI elements and canvas rendering. An out-of-bounds write weakness in Skia means attackers can craft malicious content that crashes the browser or, worse, achieves arbitrary code execution. When someone can run code on your machine just by getting you to visit a website, you've got a serious problem.

The second flaw takes aim at V8, Chrome's JavaScript and WebAssembly engine. V8 is the engine that makes modern web applications fast and capable, processing everything from simple animations to complex web apps. An inappropriate implementation bug in V8 opens the door to exploitation that Google is keeping details about deliberately vague, which usually means it's bad enough that they don't want to hand attackers a roadmap.

Google discovered both vulnerabilities internally and managed to push patches within just two days of identifying the issues. That rapid turnaround reflects the severity. When you see a browser vendor scrambling to ship fixes in 48 hours, you know someone is getting hit. The updated versions are now available for Windows as 146.0.7680.75, macOS as 146.0.7680.76, and Linux as 146.0.7680.75 in the stable desktop channel.

The company is characteristically tight-lipped about who's being targeted and how. Google's standard practice is to restrict access to bug details and exploit information until the majority of users have updated, which makes sense from a defensive standpoint even if it leaves security teams wanting more context. If the vulnerability also exists in third-party libraries that other projects depend on, those restrictions stay in place even longer.

What we know about Skia makes this particularly concerning. The graphics library isn't just used by Chrome. It's embedded in Firefox, Android, Flutter applications, and numerous other projects. When Google says they're holding back details because of third-party dependencies, Skia is exactly the kind of widely-deployed component they're worried about. A single vulnerability in shared infrastructure can cascade across the software ecosystem.

V8 exploitation has a well-documented history in sophisticated attacks. Nation-state actors and commercial spyware vendors have repeatedly targeted the JavaScript engine because successful exploitation typically yields remote code execution without requiring any user interaction beyond visiting a malicious page. Combine that with Chrome's dominant market share, hovering somewhere around 65% of desktop browsers worldwide, and you've got a target-rich environment that attracts serious adversaries.

This brings Chrome's 2026 zero-day count to three, with the first being CVE-2026-2441, an iterator invalidation bug in CSSFontFeatureValuesMap that Google addressed in mid-February. Last year saw eight Chrome zero-days patched across the full twelve months, many of which were discovered by Google's Threat Analysis Group through their ongoing surveillance of spyware operations. If we're already at three by mid-March, 2026 is tracking to be a busier year.

The timing coincides with Google's announcement that it paid over $17 million to 747 security researchers through its Vulnerability Reward Program in 2025. That's serious money flowing to the people finding these bugs before attackers do, and it reflects the reality that browser security requires constant investment. Every dollar spent on bug bounties is potentially millions saved in breach response and remediation.

For enterprise security teams, the immediate action is straightforward but urgent. Push the update through whatever endpoint management system you're running, whether that's Intune, JAMF, or group policy. Chrome's auto-update mechanism will eventually catch everyone, but eventually isn't good enough when exploits are circulating. The window between patch availability and attacker adaptation keeps shrinking.

If you're managing a fleet of devices, verify the rollout. Chrome's version number should show 146.0.7680.75 or higher on Windows and Linux, 146.0.7680.76 or higher on macOS. Any machine that hasn't updated in the past 48 hours needs attention. For personal devices, the simplest approach is to navigate to the three-dot menu, click Help, then About Google Chrome. The browser will check for updates and prompt you to relaunch once the new version downloads.

Disabling Chrome entirely while you coordinate updates isn't practical for most organizations, but you can reduce attack surface by ensuring browser isolation technologies are in place and limiting navigation to untrusted sites where possible. If you're running enterprise security controls that intercept and analyze web content, make sure those systems are logging any unusual crashes or behavior in Chrome processes, which might indicate exploitation attempts.

The broader lesson here extends beyond Chrome. Every piece of software that touches the internet is a potential entry point, and browsers sit at the front of that line. They parse untrusted content, execute arbitrary code from third parties, and integrate deeply with operating system capabilities. Building defense in depth means assuming your browser will eventually be compromised and having detection and response capabilities ready when it happens.

Google deserves credit for the rapid response time. Two days from discovery to patch is exceptional, especially for vulnerabilities this severe. The company's internal security teams clearly have mature processes for escalating and addressing critical issues. But speed only matters if organizations actually apply the patches. Every day a vulnerable version stays in production is another day the window remains open.

Update Chrome today. Not tomorrow, not after the meeting, not when IT gets around to it. Go to chrome://settings/help right now and make sure you're running the patched version. The attackers already know about these flaws, and they're not waiting for your change management process to catch up.