Chrome Zero-Days CVE-2026-3909, CVE-2026-3910 Hit CISA KEV

Google released emergency security updates on March 13 to patch two high-severity Chrome vulnerabilities that attackers were already exploiting in the wild. Within hours, CISA added both flaws to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 27.

What Are These Vulnerabilities?

CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the 2D graphics library Chrome uses for rendering. An attacker can trigger memory corruption by tricking a user into visiting a malicious webpage. CVSS: 8.8.

CVE-2026-3910 involves an inappropriate implementation flaw in V8, Chrome's JavaScript and WebAssembly engine. Exploitation allows arbitrary code execution inside the browser sandbox. Also CVSS 8.8.

Both vulnerabilities were discovered by Google's internal security team on March 10, 2026—just three days before patches shipped. That's an unusually fast turnaround, suggesting Google observed active exploitation and prioritized accordingly.

How Attacks Work

The attack chain is straightforward: a victim visits an attacker-controlled page (or a legitimate site compromised with malicious ads), and the page delivers crafted HTML or JavaScript that triggers one of these flaws. Memory corruption in Skia or code execution in V8 follows.

Google hasn't disclosed attribution or specific campaigns, which is typical when exploitation is ongoing. The company stated only that "exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild."

These mark the third and fourth Chrome zero-days patched in 2026. Back in February, we covered CVE-2026-2441, a use-after-free flaw that attackers similarly exploited before a fix was available. Chrome's complexity—V8 alone is millions of lines of C++—makes these flaws inevitable.

Affected Versions and Patch Status

Update immediately to:

• Windows/macOS: Chrome 146.0.7680.75 or 146.0.7680.76
• Linux: Chrome 146.0.7680.75

Chrome typically auto-updates, but you can force it via Settings > About Chrome. Restart required.

Because Chromium powers multiple browsers, Edge, Brave, Opera, and Vivaldi users should also update to their latest versions.

CISA's Response

CISA added both vulnerabilities to its KEV catalog on March 13, the same day Google released patches. Federal Civilian Executive Branch agencies must apply fixes by March 27, 2026—a 14-day window rather than the standard 21 days, reflecting the active exploitation status.

For organizations outside federal mandates, CISA's KEV additions serve as a prioritization signal. If CISA considers a flaw significant enough to track, your security team should too.

Recommended Actions

1. Update Chrome immediately across all endpoints—don't wait for scheduled patching windows
2. Verify Chromium-based browsers (Edge, Brave, Opera) are also current
3. Check browser policies to ensure auto-updates aren't disabled by group policy
4. Monitor for suspicious browser crashes that could indicate exploitation attempts

Why This Matters

Browser zero-days remain among the most valuable commodities in the exploit market. They require no user interaction beyond visiting a webpage, work across operating systems, and bypass most endpoint protections.

Google's three-day turnaround from discovery to patch demonstrates mature incident response, but the fact that attackers beat them to exploitation underscores a persistent challenge: sophisticated threat actors have access to zero-day research capabilities that rival major tech vendors. Organizations should treat browser updates with the same urgency as operating system patches—which, given the pace of Microsoft patches we've seen this month, is saying something.

For a broader view of current cybersecurity threats, these Chrome flaws fit a pattern of browser-based attack vectors gaining sophistication through 2026.