INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Google Exploits Zero Day in Chrome Browser
| 2026-03-13 10:30 CRITICAL HIGHExecutive Summary AI-generated
The security update released by Google to address two high-severity vulnerabilities in the Chrome browser has been confirmed as a critical incident, with exploits for both CVE-2026-3909 and CVE-2026-3910 already being used in real-world attacks. The flaws are use-after-free bugs in the V8 JavaScript/WebAssembly engine that allow remote attackers to run arbitrary code within the browser sandbox using maliciously crafted HTML pages. This is the first actively exploited Chrome zero-day fixed in 2026, following eight similar flaws patched in 2025.
Technical Mitigations AI-generated
• Update to patch high-severity vulnerabilities: Google has released security updates to address two new actively exploited flaws in the Chrome browser, CVE-2026-3909 and CVE-2026-3910.
• Implement secure coding practices: The company is aware of attacks exploiting these flaws and has implemented secure coding practices by updating the Stable channel to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
• Patch zero-day vulnerability: Google released urgent security updates to address another high-severity zero-day vulnerability, CVE-2026-2441 (CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks.
• Implement secure rendering practices: The company has confirmed that an exploit for CVE-2026-2441 exists in the wild and has implemented secure rendering practices by updating affected systems to prevent arbitrary code execution within a sandbox via crafted HTML pages.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-3910CVE-2026-3910
CVE-2026-2441CVE-2026-2441
CVE-2026-3909CVE-2026-3909
Target & Sectors
Global Scope
technologytechnology
Incident Timeline
February 11
Threat actors exploited two newly discovered vulnerabilities in the Google Chrome browser.
February 11, 2026
Google confirmed the existence of an exploit for CVE-2026-2441 in the wild on February 11, 2026.
Click on any entity below to view its context and source!
organisation
CVE-2026
Google has confirmed that an exploit for CVE-2026-2441 exists in the wild, but has not shared details about how it is being used or which threat actor is behind the exploitation of the flaw.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Chrome)
February 13
Google fixed two new actively exploited flaws in the Chrome browser on February 13.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-2441
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
infrastructure
Windows
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
infrastructure
Linux
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
organisation
Google Chrome
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
organisation
Windows, Mac
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
March 10, 2026
Google fixed two new actively exploited flaws in the Chrome browser by patching CVE-2026-3909 and CVE-2026-3910 vulnerabilities.
Click on any entity below to view its context and source!
organisation
CSS
The flaw is a use-after-free bug in the browser’s CSS component.
organisation
HTML
Below are the descriptions for these vulnerabilities:
CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library that lets a remote attacker trigger memory corruption by tricking a user into opening a specially crafted HTML page.
organisation
Skia 2D
Below are the descriptions for these vulnerabilities:
CVE-2026-3909 (CVSS score: 8.8) – Out-of-bounds write in the Skia 2D graphics library that lets a remote attacker trigger memory corruption by tricking a user into opening a specially crafted HTML page.
organisation
CVE-2026-2441
In mid-February, Google released urgent security updates to address another high-severity zero-day vulnerability,
tracked as CVE-2026-2441
(CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks.
infrastructure
8.8
In mid-February, Google released urgent security updates to address another high-severity zero-day vulnerability,
tracked as CVE-2026-2441
(CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks.
infrastructure
Windows
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
infrastructure
Linux
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
infrastructure
146.0.7680
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
organisation
Windows and Mac
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
2026-03-13
Thaspol Sangsee used an exploit for CVE-2026-3909 to target Chrome.
Click on any entity below to view its context and source!
organisation
NVD
As detailed by the National Institute of Standards and Technology (NIST)
National Vulnerability Database
(NVD), the bug originated from an issue in Cascading Style Sheets (CSS) allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
organisation
CSS
As detailed by the National Institute of Standards and Technology (NIST)
National Vulnerability Database
(NVD), the bug originated from an issue in Cascading Style Sheets (CSS) allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
organisation
HTML
As detailed by the National Institute of Standards and Technology (NIST)
National Vulnerability Database
(NVD), the bug originated from an issue in Cascading Style Sheets (CSS) allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
organisation
CVE-2026
The tech giant also confirmed that it “is aware that an exploit for CVE-2026-2441 exists in the wild.”
organisation
Google
Google has released a security update to patch a newly discovered zero-day in Chrome and the company warned an exploit exists in the wild.
Google fixed two new actively exploited flaws in the Chrome browser.
organisation
Thaspol Sangsee
/
Image credit:
Thaspol Sangsee
/ Shutterstock.com
organisation
Shutterstock.com
Image credit:
Thaspol Sangsee
/ Shutterstock.com
organisation
CVE-2026-3909 & CVE-2026
“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.” reads the
advisory
published by the tech giant.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
Metrics
infrastructure
Linux
Affected Product
The update, published on February 13, was accompanied by an advisory on
CVE-2026-2441
, a high severity security vulnerability in Google Chrome for desktop on Windows, Mac and Linux.
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
Metrics
infrastructure
146.0.7680
Software Version
The company informed users that the Stable channel has been updated to version 146.0.7680.75/76 for Windows and Mac, and 146.0.7680.75 for Linux.
Metrics
infrastructure
8.8
Software Version
In mid-February, Google released urgent security updates to address another high-severity zero-day vulnerability,
tracked as CVE-2026-2441
(CVSS score of 8.8), in Chrome that is already being exploited in real-world attacks.
Intelligence Sources
Infosecurity-Magazine
2026-02-16
Google Warns of In the Wild Exploit as It Patches New Chrome Zero Day
Infosecurity-Magazine
Security Affairs
2026-03-13
Google fixed two new actively exploited flaws in the Chrome browser
Security Affairs
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T10:53
Comprehensive Tactical Telemetry
Highly Correlated Entities
15x
organisation
Identified Entity
the National Institute of Standards and Technology
entity
6x
timeline
Temporal Reference
February 13
date
3x
vulnerability
Exploited CVE
CVE-2026-2441
cve
2x
infrastructure
Affected Product
Windows
software
2x
infrastructure
Software Version
146.0.7680
version
Contextual Telemetry
Context Block
4 METRICS
industry
Targeted Sector
Technology
sector
general metric
Score
9
score
vulnerability
CVSS Score
9
score
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.