my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Patch Chrome Now: Two Zero-Days Being Actively Exploited in the Wild

John Z Black Mar 14, 2026 Vulnerability #chrome #zero-day #cve-2026-3909 #google #patch #browser-security #v8 #skia

Stop reading. Update Chrome. Settings, Help, About Google Chrome. Let it do its thing. Come back.

Seriously. Two zero-days were actively being exploited before Google got the patch out, and if you haven’t updated to Chrome 146, you’re still a target.

The first one, CVE-2026-3909, hits Skia, the graphics library Chrome uses to render basically everything you see on screen. It’s an out-of-bounds write, which is a fancy way of saying an attacker can corrupt memory by getting you to visit a malicious page. CVSS 8.8. You don’t have to click anything special. Just loading the page is enough.

The second hits V8, Chrome’s JavaScript engine. V8 processes arbitrary JavaScript from every site you visit, and it’s been a favorite hunting ground for attackers for years. Both bugs were being used in real attacks before Google shipped the fix.

That’s the part that matters. “Actively exploited” doesn’t mean someone published a proof of concept on GitHub. It means actual attack campaigns were hitting real targets using these flaws.

How to update:

Desktop? Three-dot menu, Help, About Google Chrome. It’ll download automatically. Hit Relaunch. You want to see version 146 in that number.

Running Chrome through enterprise policy with update deferrals? Push this one manually. Both bugs are severe enough to break your normal patch cycle.

Mobile? Check the Play Store or App Store for a pending update.

Browsers keep getting zero-days because browsers are doing an impossible job. They execute arbitrary code from any server on the internet, render complex graphics, and try to keep every site isolated from every other site. The attack surface is massive. Sophisticated attackers invest heavily in finding cracks, and sometimes they find them before the vendor does.

Apple patched a WebKit zero-day the same week. Different browser, same story. The window between exploitation and patching is where all the risk lives.

For Chrome users who haven’t updated yet, that window is still open. Close it.

Read the full story on gNerdSEC