INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Google Fixes Two Chrome Zero-Days Exploited in the Wild
| 2026-03-13 09:17 CRITICAL HIGHExecutive Summary AI-generated
Google has released security updates for its Chrome web browser to address two high-severity vulnerabilities that have been exploited in the wild. The first vulnerability, CVE-2026-3909, is an out-of-bounds write weakness in Skia, a 2D graphics library responsible for rendering web content and user interface elements. This allows attackers to crash the web browser or gain code execution. Google discovered this flaw on March 10, 2026, and patched it within two days of reporting.
The second vulnerability, CVE-2026-3910, is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. This allows remote attackers to execute arbitrary code inside a sandbox via a crafted HTML page. Google discovered this flaw on March 10, 2026, as well, and patched it within two days of reporting.
Both vulnerabilities were reported by Google itself on March 13, 2026. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as soon as they become available.
Technical Mitigations AI-generated
* Use a recent version of Chrome: Google recommends updating to versions 146.0.7680.75/76 for Windows and Apple macOS, or 146.0.7680.75 for Linux.
* Keep your browser up-to-date: Regularly update your Chrome browser to ensure you have the latest security patches and fixes.
* Use a web application firewall (WAF): Consider using a WAF like Cloudflare's Web Application Firewall to help protect against zero-day attacks.
* Be cautious with HTML injection: When interacting with websites, be careful not to inject malicious code into your browser. Use input validation and sanitization techniques to prevent this type of attack.
* Use secure protocols (HTTPS): Always use HTTPS when accessing sensitive information or making online transactions. This will help protect against eavesdropping and man-in-the-middle attacks.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-2441CVE-2026-2441
CVE-2026-3910CVE-2026-3910
CVE-2026-3909CVE-2026-3909
Target & Sectors
Global Scope
Incident Timeline
2025-03-13
Threat Analysis Group fixed two Chrome zero-days exploited in the wild on 2025-03-13.
Click on any entity below to view its context and source!
organisation
Threat Analysis Group
Last year, Google fixed a total of
eight zero-days exploited in the wild
, many of which were reported by Google's Threat Analysis Group (TAG), a group of security researchers known for tracking and identifying zero-days exploited in spyware attacks.
March 10, 2026
Threat actors used a zero-day exploit in the Skia graphics processing library to target users of Microsoft Edge, Brave, Opera and Vivaldi browsers.
Click on any entity below to view its context and source!
organisation
Google
Both vulnerabilities were discovered and reported by Google itself on March 10, 2026.
organisation
CSS
The development comes less than a month after Google shipped fixes for a high-severity use-after-free bug in Chrome's CSS component (
CVE-2026-2441
, CVSS score: 8.8) that had also been exploited as a zero-day.
organisation
CVSS
The development comes less than a month after Google shipped fixes for a high-severity use-after-free bug in Chrome's CSS component (
CVE-2026-2441
, CVSS score: 8.8) that had also been exploited as a zero-day.
infrastructure
Windows
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
infrastructure
Macos
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
infrastructure
Linux
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
infrastructure
146.0.7680
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
organisation
CVE-2026
"Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild," the company
noted
.
organisation
Chromium
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
organisation
Microsoft Edge, Brave,
Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.
2026-03-13
Google released security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks.
Click on any entity below to view its context and source!
organisation
BleepingComputer
While Google says the out-of-band update could take days or weeks to reach all users, it was immediately available when BleepingComputer checked for updates earlier today.
organisation
CSS
The first, tracked as CVE-2026-2441 and described as an iterator invalidation bug in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values),
was addressed in mid-February
.
infrastructure
Windows
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
infrastructure
Macos
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
infrastructure
Linux
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
infrastructure
145.0.7632
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
So, if your Chrome is on version
145.0.7632
.
75 or later,
it’s protected from these vulnerabilities.
infrastructure
146.0.7680
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
organisation
Stable Desktop
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
organisation
Google
Pieter Arntz reports:
Google has
issued
a patch for a high‑severity Chrome zero‑day, tracked as
CVE‑2026‑2441
, a memory bug in how the browser handles certain font features that attackers are already exploiting.
Google fixes two new Chrome zero-days exploited in attacks.
organisation
CVE-2026-3909 & CVE-2026
"Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild," Google said in a
security advisory
published on Thursday.
organisation
WebAssembly
The second one (CVE-2026-3910) is described as an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine.
organisation
Chrome
Google has released emergency security updates to patch two high-severity Chrome vulnerabilities exploited in zero-day attacks.
organisation
Vulnerability Reward Program
On Thursday, Google also revealed that it has
paid over $17 million
to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.
organisation
VRP
On Thursday, Google also revealed that it has
paid over $17 million
to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.
financial
$17 Google
On Thursday, Google also revealed that it has
paid over $17 million
to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation
Google Fixes
Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8.
organisation
Browser Security / Vulnerability
Ravie Lakshmanan
Mar 13, 2026
Browser Security / Vulnerability
Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild.
Mar 13, 2026
Threat actors used a crafted HTML page to exploit an out-of-bounds write vulnerability in the Skia 2D graphics library, allowing them to perform out-of-bounds memory access.
Click on any entity below to view its context and source!
organisation
WebAssembly
An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
organisation
Skia 2D
An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
organisation
HTML
An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
the start of 2026
Google released patches for two of its popular browsers, Skia and V8, which were exploited in the wild as part of a series of active zero-day attacks.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
Metrics
infrastructure
Macos
Affected Product
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
Metrics
infrastructure
Linux
Affected Product
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
Metrics
infrastructure
145.0.7632
Software Version
How to update Chrome
The latest version number is
145.0.7632.75/76
for Windows and macOS, and
145.0.7632.75
for Linux.
So, if your Chrome is on version
145.0.7632
.
75 or later,
it’s protected from these vulnerabilities.
Metrics
infrastructure
146.0.7680
Software Version
Google discovered both security flaws and patched them within two days of reporting for users in the Stable Desktop channel, with new versions rolling out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux systems (146.0.7680.75).
For optimal protection, users are advised to update their Chrome browser to versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux.
Metrics
financial
17,000,000
Google
On Thursday, Google also revealed that it has
paid over $17 million
to 747 security researchers who reported security flaws through its Vulnerability Reward Program (VRP) in 2025.
Intelligence Sources
Data Breaches
2026-02-21
BleepingComputer
2026-03-13
Google fixes two new Chrome zero-days exploited in attacks
BleepingComputer
The Hacker News
2026-03-13
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T10:49
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
organisation
Identified Entity
Google
entity
8x
timeline
Temporal Reference
2026
date
3x
vulnerability
Exploited CVE
CVE-2026-2441
cve
3x
infrastructure
Affected Product
Windows
software
2x
infrastructure
Software Version
145.0.7632
version
2x
tactic
MITRE ATT&CK Technique
T1059.007 - JavaScript
technique
Contextual Telemetry
Context Block
7 METRICS
financial
Google
17,000,000
google
general metric
Security Researchers
747
security researchers
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
general metric
Score
9
score
general metric
Mar
13
mar
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.