Google released an emergency Chrome 146 update to address two zero-day vulnerabilities that are being actively exploited in the wild. The flaws—an out-of-bounds write in the Skia graphics library (CVE-2026-3909) and an implementation weakness in the V8 JavaScript engine (CVE-2026-3910)—were patched across Windows, macOS, Linux, and Android. #CVE-2026-3909 #CVE-2026-3910
Keypoints
- Google issued an emergency Chrome 146 update to fix two actively exploited zero-day vulnerabilities.
- CVE-2026-3909 is an out-of-bounds write in the Skia graphics library that can corrupt memory and enable arbitrary code execution or crashes.
- CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine that could allow attackers to execute arbitrary code and enable sandbox escapes.
- Patches were released in Chrome 146.0.7680.75/76 for Windows and macOS, 146.0.7680.75 for Linux, and 146.0.76380.115 for Android.
- Google awarded roughly $210,000 in bounty rewards for the reported bugs, including notable payouts to Tobias Wienand and other researchers.
Read More: https://www.securityweek.com/chrome-146-update-patches-two-exploited-zero-days/