Google rushes Chrome update fixing two zero-days under attack

theregister.com · Brajeshwar · 8 hours ago · view on HN · news
quality 3/10 · low quality
0 net
AI Summary

Google released emergency Chrome patches for two actively exploited zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library) and CVE-2026-3910 (inappropriate implementation in V8 JavaScript engine). Both vulnerabilities are being actively exploited in the wild, marking Chrome's third zero-day under attack in 2026.

Tags
zero-day chrome memory-corruption out-of-bounds-write skia v8 javascript-engine webassembly active-exploitation emergency-patch browser-security
Entities
CVE-2026-3909 CVE-2026-3910 CVE-2026-2441 Google Chrome Skia V8
Google rushes Chrome update to fix zero-days under attack • The Register Sign in / up The Register Topics Special Features Special Features Vendor Voice Resources Resources Patches 2 Google rushes Chrome update fixing two zero-days already under attack 2 Skia graphics lib and V8 JavaScript engine brings browser's tally of actively exploited bugs to three in 2026 Carly Page Fri 13 Mar 2026 // 11:25 UTC Google has pushed out an emergency Chrome update to fix two previously unknown vulnerabilities that attackers were already exploiting before the patches landed. The bugs, tracked as CVE-2026-3909 and CVE-2026-3910, affect core components of the browser and have prompted the usual warning from Google that technical details will remain under wraps until most users have updated. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," the company said . CVE-2026-3909 is an out-of-bounds write flaw in Skia, the graphics library Chrome uses to render web content and parts of its user interface. Memory corruption bugs like this can sometimes be abused by attackers to crash applications or run their own code if successfully exploited. The second bug, CVE-2026-3910, is described as an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine, the part of Chrome responsible for executing scripts on webpages. V8 vulnerabilities are particularly valuable to attackers because they can potentially be triggered by getting a target to visit a malicious or compromised site. Google says it is aware that exploits for both vulnerabilities are in the wild, though it hasn't shared details on how the bugs are being used or who might be behind the attacks. That silence is fairly typical when zero-days are involved; vendors tend to hold back technical information to avoid handing exploit developers a blueprint before patches have spread widely. Critical Microsoft Excel bug weaponizes Copilot Agent for zero-click information disclosure attack AI vs AI: Agent hacked McKinsey's chatbot and gained full read-write access in just two hours China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection Google patches Chrome zero-day as in-the-wild exploits surface The fixes are included in the latest Chrome Stable update for Windows, macOS, and Linux, which should roll out automatically over the coming days and weeks. Users can also trigger the update manually through Chrome's settings menu and will need to restart the browser to complete installation. Google says both bugs were discovered in-house, which isn't always the case. The company also revealed this week that it paid $17 million to 747 security researchers through its Vulnerability Reward Program in 2025. The fixes arrive roughly a month after Google patched another actively exploited Chrome zero-day , CVE-2026-2441, a high-severity use-after-free vulnerability in the browser's CSS handling that could allow a malicious webpage to execute code inside the browser's sandbox. With two more zero-days now under attack, Chrome's 2026 tally is already growing. If your browser is nagging you to restart for an update, this might be a good moment to listen. ® Share More about Chrome Patch Vulnerability More like these × More about Chrome Patch Vulnerability Narrower topics Patch Tuesday Y2K Zero Day Initiative Broader topics Chromium Google Cloud Security Web Browser More about Share 2 COMMENTS More about Chrome Patch Vulnerability More like these × More about Chrome Patch Vulnerability Narrower topics Patch Tuesday Y2K Zero Day Initiative Broader topics Chromium Google Cloud Security Web Browser TIP US OFF Send us news Other stories you might like 'Are you freaking crazy?' Bot harasses woman, gets led away by cops An incident in Macau Offbeat 13 Mar 2026 | 2 Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others And then they send victims to the legit VPN download to hide their tracks Cyber-crime 13 Mar 2026 | After years of being stood up, ARM64 Linux users finally get Chrome date Someone, somewhere, ticked a box on a build farm. The wait is over Applications 13 Mar 2026 | 5 Unlocking the hidden power of unstructured data with AI Hyland is helping enterprises turn their fragmented, unstructured data into governed, AI-ready intelligence Sponsored Feature Watchdog boss calls Capita's £370M DWP win 'extraordinary' amid pension portal dumpster fire PAC chair asks Cabinet Office if anyone bothered telling dept about the shambles before handing over the keys Public Sector 13 Mar 2026 | 12 Microsoft veteran Rajesh Jha prepares to retire, triggers yet another reorg 35-year staffer comes from time before company's cloud and Copilot obsessions Software 13 Mar 2026 | Azure startup credits don't apply to Claude via Azure AI Foundry, reader finds – after $1,600 charge Gets bounced between Microsoft and Anthropic like a support ticket nobody wants to own AI + ML 13 Mar 2026 | 5 RAM is getting expensive, so squeeze the most from it Zram versus zswap – two ways to get a quart into a pint pot Storage 13 Mar 2026 | 24 NASA pencils in fresh Artemis II Moon launch attempt for April 1 'When we tank the vehicle ... I would like it to be on a day that we could actually launch' Science 13 Mar 2026 | 8 Interpol cybercrime crackdown leads to 94 arrests, 45,000 IP takedowns Operation Synergia's third season is the most productive to date Cyber-crime 13 Mar 2026 | 4 Nanny state discovers Linux, demands it check kids' IDs before booting Opinion Age-verification laws target operating systems because apparently teenagers having root access is now a safeguarding crisis OSes 13 Mar 2026 | 54 Atomic Britain: UK plans regulatory reset to boost nuclear power It wants 'safe, cost effective, and rapid.' We say: 'Good, fast, cheap – you can have 2' On-Prem 13 Mar 2026 | 19 The Register Biting the hand that feeds IT About Us Contact us Advertise with us Who we are Our Websites The Next Platform DevClass Blocks and Files Your Privacy Cookies Policy Privacy Policy Ts & Cs Copyright. All rights reserved © 1998–2026
← Back to stories