You are currently viewing Chrome Security Update: Google Fixes Another Actively Exploited Vulnerability

Chrome Security Update: Google Fixes Another Actively Exploited Vulnerability

  • Post author:
  • Reading time:5 mins read

In a race against active threats, Google Chrome has released another emergency update to patch two critical zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910. These flaws were already being actively exploited in the wild, prompting urgent action from Google to protect users.

The update comes shortly after a previous zero-day patch released earlier in the year, highlighting the persistent challenges browser vendors face in defending against increasingly sophisticated threat actors.

Vulnerability Details

Out-of-Bounds Write in Skia (CVE-2026-3909)

A critical vulnerability tracked as CVE-2026-3909 affects the Skia Graphics Library, the open-source 2D graphics engine used by Google Chrome for rendering web pages, images, animations, and user interface elements.

The flaw stems from an out-of-bounds write condition, which occurs when the program writes data beyond the allocated memory boundary. Improper memory handling within Skia allows specially crafted graphical content to overwrite adjacent memory regions, potentially corrupting internal program structures.

In a typical attack scenario, a malicious webpage may deliver crafted graphical data—such as manipulated images, canvas rendering instructions, or vector graphics—that trigger the vulnerable code path inside the Skia rendering pipeline. When Chrome attempts to process this malformed input, the memory corruption may occur during the rendering stage.

If successfully exploited, attackers could:

  • Crash the browser
  • Execute arbitrary code within the browser process
  • Potentially leverage additional vulnerabilities to escalate the attack

Because Skia processes graphical data from webpages automatically, attackers may trigger this vulnerability simply by luring users to a malicious or compromised website.

Another concerning aspect of this vulnerability is that modern websites heavily rely on graphical rendering operations, including HTML5 canvas elements, SVG graphics, and GPU-accelerated rendering. This significantly increases the attack surface because malicious payloads can be embedded within seemingly legitimate web content.

Furthermore, attackers often combine memory corruption vulnerabilities like out-of-bounds writes with heap manipulation techniques to achieve reliable exploitation. By carefully controlling the memory layout of the browser process, threat actors may redirect program execution flow to attacker-controlled code.

Although Google Chrome implements multiple security layers such as sandboxing and site isolation, successful exploitation within the renderer process can still allow attackers to perform malicious actions within the context of the browser session. This may include stealing session tokens, accessing sensitive browsing data, or launching further attacks against the underlying system.

Given that this vulnerability was reportedly actively exploited in the wild, it indicates that attackers had already developed working exploit chains targeting this flaw before the security patch was released. As a result, immediate patching is strongly recommended for both individual users and organizations.

Improper Implementation in V8 Engine (CVE-2026-3910)

The second vulnerability, CVE-2026-3910, affects the V8 JavaScript Engine, the high-performance engine responsible for executing JavaScript and WebAssembly code in Google Chrome. The V8 engine plays a critical role in modern browsers by compiling and executing scripts used by websites to power dynamic content, web applications, and interactive features.

This vulnerability stems from an inappropriate implementation of internal logic within the V8 engine, which may allow incorrect handling of certain script operations during execution. When the engine processes specially crafted JavaScript code, the flawed logic can cause the program to follow unintended execution paths. As a result, attackers may manipulate how memory or objects are handled during script execution.

In practice, an attacker could embed malicious JavaScript code within a webpage or inject it into a compromised website. When a victim visits the page, the script is automatically processed by the V8 engine. If the exploit successfully triggers the vulnerable code path, it may lead to memory corruption or other unsafe execution conditions within the browser’s rendering process.

One of the major risks associated with V8-related vulnerabilities is their ability to be triggered through normal browsing activity. Users do not need to download files or interact with prompts—simply loading a webpage containing the exploit can activate the vulnerability. This makes such flaws particularly attractive to threat actors conducting drive-by compromise attacks.

Affected Products

The vulnerabilities primarily affect Google Chrome versions prior to:

  • 146.0.7680.75 – Windows and macOS
  • 146.0.7680.76 – Linux

Microsoft Edge, with versions prior to 144.0.3719.130

Tactics, Techniques, and Procedures (TTPs)

  • TA0001 – Initial Access: Attackers can use various methods to gain an initial foothold in the system, such as drive-by compromise.
  • TA0002 – Execution: After gaining initial access, attackers can execute malicious code on the system through exploitation for client execution.
  • T1189 – Drive-by Compromise: Attackers can compromise a system by exploiting vulnerabilities in web browsers or plugins when a user visits a malicious website.
  • T1203 – Exploitation for Client Execution: Attackers can exploit vulnerabilities in client-side applications to execute arbitrary code on the system.

Mitigations

Update Google Chrome to version 146.0.7680.75/76 or later

Update Microsoft Edge to version 144.0.3719.130 or later

Restart the browser after applying updates to ensure the patch is active

Avoid visiting untrusted websites or clicking suspicious links

Use browser security extensions that block malicious scripts and ads

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.