Google released emergency Chrome patches for two actively exploited zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library) and CVE-2026-3910 (inappropriate implementation in V8 JavaScript engine). Both vulnerabilities are being actively exploited in the wild, marking Chrome's third zero-day under attack in 2026.
Google released patches for two high-severity zero-day vulnerabilities in Chrome affecting the Skia graphics library and V8 engine that were actively exploited in the wild. CVE-2026-3909 is an out-of-bounds write in Skia with CVSS 8.8 triggered via crafted HTML.
Google released emergency patches for two actively exploited Chrome zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library enabling code execution) and CVE-2026-3910 (inappropriate V8 JavaScript engine implementation). Both vulnerabilities were discovered and patched by Google within two days of discovery.
PortSwigger researchers discovered a practical XSS exploitation technique for hidden input fields using the accesskey attribute combined with onclick events, which works across modern browsers including Firefox and Chrome by triggering payload execution via keyboard shortcuts (ALT+SHIFT+X on Windows, CTRL+ALT+X on macOS).