Chrome zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910 patched; users urged to update

Sunday, March 15, 2026, 16:30 Google has issued an emergency update for the Chrome browser to patch two serious zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that are being exploited, and advises users to update and restart the browser immediately to ensure safety. Although weekly security updates have become standard since 2023, Google issuing another patch for Chrome just 48 hours after the previous update underscores the severity of the issue. In fact, Google has confirmed that the two zero-day vulnerabilities are being exploited against Chrome users. Google said that since Chrome version 153, stable updates will be released every two weeks, halving the cadence from the previous schedule. Previously, the March 10 update included as many as 29 security fixes, while the prior update was released on March 3. However, Google again released an emergency patch to address the two zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910, as exploit tooling has appeared in the wild. According to Google, both vulnerabilities are rated as highly severe on the CVSS score and affect core components of the Chrome browser. Notably, these flaws were discovered by Google itself rather than external security researchers as is often the case. Specifically, CVE-2026-3909 is an out-of-bounds memory access vulnerability that could lead to remote code execution when exploited. This flaw lies in the Skia graphics library — the component Chrome uses to render the user interface and web content. An attacker could trigger the vulnerability simply by convincing a user to visit a malicious website. Illustrative image Meanwhile, CVE-2026-3910 appears in V8 — Chrome's core JavaScript engine, long a common target for hackers. According to OpenCVE, this vulnerability relates to improper implementation and could allow a remote attacker to execute arbitrary code in a sandboxed environment through a pre-made HTML page. Alongside patching the vulnerability, Google also underscores the role of the Vulnerability Reward Program (VRP). The program has been in operation for 15 years and has paid out a total of $81.6 million to security researchers. In 2025 alone, rewards surpassed $17 million. According to Google, more than 100 researchers have received a total of $3.7 million in rewards for Chrome-related findings. Two researchers received the largest rewards in 2025 after uncovering a logic flaw in Chrome's inter-process communication mechanism and demonstrating exploitability. In addition to the general VRP, Google maintains a dedicated Chrome VRP, and has expanded into AI. The AI VRP has paid about $350,000 in rewards since its inception. Experts say that the number of vulnerabilities discovered is not a sign that Chrome is unsafe. On the contrary, early disclosure by the security research community helps make the browser safer against new threats. For users, Google has begun rolling out the security update, but the process may take several days or weeks. More importantly, users should restart the browser after updating to activate the patch. Users are advised to open the three-dot menu in Chrome, select Help → About Google Chrome to check and install the latest update. The patched version currently is 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux. Timely updates are seen as the best way to minimize the risk of being attacked by zero-day vulnerabilities.