Two Chrome zero‑days being actively exploited
What happened
Google warned of two actively exploited Chrome zero-day vulnerabilities—one enabling arbitrary code execution in the browser sandbox and another risking data leakage—prompting immediate updates for endpoints reported. While browser bugs aren’t GovCloud-specific, they remain common initial access vectors that can compromise developer workstations tied into defense CI/CD workflows.
Why it matters
Google pushed an emergency Chrome 146 stable update (desktop builds 146.0.7680.75/76 and Linux 146.0.7680.75, plus Android 146.0.76380.115) on March 12–13, 2026 to deliver the fixes. chromereleases.googleblog.com The two tracked bugs are CVE‑2026‑3909 (an out‑of‑bounds write in the Skia graphics library) and CVE‑2026‑3910 (an inappropriate‑implementation flaw in the V8 engine), both reported by Google on March 10, 2026. chromereleases.googleblog.com Google explicitly stated it is aware that exploits for both CVE‑2026‑3909 and CVE‑2026‑3910 exist in the wild, and technical write‑ups show attackers can trigger the flaws via crafted/malicious web pages that corrupt memory and enable in‑sandbox code execution. chromereleases.googleblog.com Security advisories and outlets urged immediate updates to the Chrome 146 builds and noted Chrome normally auto‑upgrades but manual checks (Help → About Chrome) force the patch; defenders should prioritize updating developer workstations and CI/CD build hosts running those versions. bleepingcomputer.com This patching wave follows an earlier mid‑February 2026 Chrome zero‑day (CVE‑2026‑2441) and brings Chrome’s count of actively exploited in‑the‑wild zero‑days in 2026 to at least three, underscoring recurring active exploitation trends. securityaffairs.com
Key numbers
- Google pushed an emergency Chrome 146 stable update (desktop builds 146.0.7680.75/76 and Linux 146.0.7680.75, plus Android 146.0.76380.115) on March 12–13, 2026 to deliver the fixes.
- chromereleases.googleblog.com The two tracked bugs are CVE‑2026‑3909 (an out‑of‑bounds write in the Skia graphics library) and CVE‑2026‑3910 (an inappropriate‑implementation flaw in the V8 engine), both reported by Google on March 10, 2026.
- bleepingcomputer.com This patching wave follows an earlier mid‑February 2026 Chrome zero‑day (CVE‑2026‑2441) and brings Chrome’s count of actively exploited in‑the‑wild zero‑days in 2026 to at least three, underscoring recurring active exploitation trends.
Quick answers
What happened in Two Chrome zero‑days being actively exploited?
Google warned of two actively exploited Chrome zero-day vulnerabilities—one enabling arbitrary code execution in the browser sandbox and another risking data leakage—prompting immediate updates for endpoints reported. While browser bugs aren’t GovCloud-specific, they remain common initial access vectors that can compromise developer workstations tied into defense CI/CD workflows.
Why does Two Chrome zero‑days being actively exploited matter?
Google pushed an emergency Chrome 146 stable update (desktop builds 146.0.7680.75/76 and Linux 146.0.7680.75, plus Android 146.0.76380.115) on March 12–13, 2026 to deliver the fixes. chromereleases.googleblog.com The two tracked bugs are CVE‑2026‑3909 (an out‑of‑bounds write in the Skia graphics library) and CVE‑2026‑3910 (an inappropriate‑implementation flaw in the V8 engine), both reported by Google on March 10, 2026. chromereleases.googleblog.com Google explicitly stated it is aware that exploits for both CVE‑2026‑3909 and CVE‑2026‑3910 exist in the wild, and technical write‑ups show attackers can trigger the flaws via crafted/malicious web pages that corrupt memory and enable in‑sandbox code execution. chromereleases.googleblog.com Security advisories and outlets urged immediate updates to the Chrome 146 builds and noted Chrome normally auto‑upgrades but manual checks (Help → About Chrome) force the patch; defenders should prioritize updating developer workstations and CI/CD build hosts running those versions. bleepingcomputer.com This patching wave follows an earlier mid‑February 2026 Chrome zero‑day (CVE‑2026‑2441) and brings Chrome’s count of actively exploited in‑the‑wild zero‑days in 2026 to at least three, underscoring recurring active exploitation trends. securityaffairs.com
