Google just patched two zero-day vulnerabilities in Chrome—CVE-2026-3909 and CVE-2026-3910—that were already being exploited in the wild before fixes were available. No file download required. No phishing email to fall for. A user simply had to visit the wrong webpage.
With an estimated 3.45 billion Chrome users worldwide, the attack surface is enormous. And because the flaws sit inside two of the browser's most foundational components—the Skia graphics engine and the V8 JavaScript core—every Chrome user on every platform was potentially exposed.
Google patched both vulnerabilities within days. But here's the problem most businesses are already familiar with: the patch only works if it's applied. And most organizations don't update browsers fast enough.
What Are CVE-2026-3909 and CVE-2026-3910?
Both vulnerabilities carry a CVSS score of 8.8 (High), and both were discovered and reported internally by Google on March 10, 2026.
CVE-2026-3909: Out-of-Bounds Write in Skia
Skia is Chrome's open-source 2D graphics library—the engine responsible for rendering nearly everything you see in the browser. CVE-2026-3909 is an out-of-bounds write vulnerability, meaning an attacker can craft a malicious HTML page that causes Chrome to write data past the intended boundary of allocated memory. The result: browser crashes, memory corruption, or remote code execution on the victim's device.
CVE-2026-3910: Inappropriate Implementation in V8
V8 is Chrome's JavaScript and WebAssembly engine—the component that executes active content on virtually every website. CVE-2026-3910 allows an attacker to execute arbitrary code inside V8's sandbox through a specially crafted webpage. Because V8 processes content during normal browsing, exploitation requires nothing more than visiting a compromised or malicious site.
In both cases, the attack vector is identical: trick a user into visiting a webpage. No interaction beyond that is needed.
What We Know About Active Exploitation
"Google is aware that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild," Google stated in its security advisory. The company confirmed active exploitation but deliberately withheld technical details to prevent additional threat actors from weaponizing the flaws.
The response was swift. On March 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by March 27. Google released patched versions for Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75) within two days of disclosure. Microsoft followed with an Edge update (146.0.3856.62) addressing CVE-2026-3909.
These are the second and third actively exploited Chrome zero-days in 2026. The first, CVE-2026-2441—an iterator invalidation bug in CSSFontFeatureValuesMap—was patched in mid-February. For context, Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild across all vendors in 2025, up from 78 in 2024.
As we covered in our explainer on what zero-day attacks are, these vulnerabilities are especially dangerous because attackers are already exploiting them before defenders know the flaws exist.
Why the Patch Window Is Shrinking
The traditional vulnerability cycle used to look something like this: a flaw is discovered, a patch is developed, organizations test and deploy it over weeks, and attackers who learn about the flaw eventually build exploits. That timeline gave defenders a reasonable window.
That window is collapsing.
Google's Threat Intelligence Group has noted that AI tools are now accelerating both vulnerability discovery and exploit development. When a vulnerability is disclosed, the time between "public knowledge" and "actively exploited at scale" has compressed from weeks to days—and in some cases, hours. This is consistent with what we explored in our analysis of AI-powered vulnerability discovery, where a single AI model identified over 500 unknown security flaws in widely used open-source software.
The implication is straightforward: delayed patching is now a far riskier proposition than it was even a year ago. Every hour a known vulnerability goes unpatched is an hour that AI-assisted tools can be generating and distributing working exploits.
As we discussed in our piece on AI-powered cyber threats and what businesses should know, the acceleration isn't theoretical—it's already reshaping how attacks unfold in practice.
The Browser Extension Problem Makes It Worse
Zero-day browser vulnerabilities don't exist in isolation. They compound with other browser-level risks that most businesses are already underestimating.
In January 2026, Microsoft reported that two malicious Chrome extensions—posing as AI assistant tools—had collectively reached over 900,000 installations. The extensions were exfiltrating complete ChatGPT and DeepSeek conversation histories to attacker-controlled servers every 30 minutes. Microsoft Defender telemetry confirmed activity across more than 20,000 enterprise tenants.
One of those extensions carried a Google "Featured" badge.
The exposure wasn't limited to personal data. Employees were using these AI tools with sensitive inputs—proprietary code, internal workflows, strategic discussions—all of which was being silently collected and transmitted. We covered this broader risk in detail in our piece on browser extensions as a security blind spot.
When you combine unpatched zero-day vulnerabilities with an unmanaged extension ecosystem, the browser becomes one of the highest-risk components in any business environment—and one of the least monitored. For more on evaluating your browser's security posture, see our guide on how secure your browser really is.
What Your Business Should Do Right Now
These vulnerabilities are already patched. The question is whether your organization has applied the fix—and whether you have the processes in place to respond this quickly the next time.
1. Update Chrome Immediately
Ensure every device in your organization is running Chrome version 146.0.7680.75 or later (146.0.7680.76 on macOS). Don't assume auto-update has done its job—Chrome updates often require a browser restart to take effect, and many users leave tabs open for days or weeks.
For organizations using Microsoft Edge or other Chromium-based browsers, verify those are updated as well. Microsoft has released Edge version 146.0.3856.62 to address CVE-2026-3909.
2. Audit Your Browser Extension Landscape
If your organization doesn't have a policy governing browser extensions, you're operating with a blind spot. At a minimum:
- Enforce extension allowlists through group policy or MDM
- Block sideloading of unapproved extensions
- Review and revalidate extensions when permissions or ownership change
- Apply data loss prevention (DLP) controls to AI tool usage in the browser
3. Implement Rapid Patch Management
If your patch cycle for browsers is measured in weeks rather than days, the current threat landscape has outpaced your process. Browser patching should be treated with the same urgency as operating system patching—if not more, given that browsers are the primary interface between your employees and the internet.
We've covered the fundamentals of this process in our guide on software updates and patch management, and the real-world consequences of falling behind in our piece on what happens when systems aren't updated regularly.
4. Assume the Browser Is a Managed Endpoint
Most businesses treat servers, laptops, and phones as managed endpoints. The browser—where employees spend the majority of their working day—often gets overlooked. Treat it as what it is: a high-value target that handles authentication tokens, sensitive data, and direct internet access.
This includes monitoring for anomalous browser behavior, enforcing security policies at the browser level, and ensuring that endpoint detection and response (EDR) tools have visibility into browser activity. For organizations evaluating their detection capabilities, our comparison of next-generation antivirus versus traditional approaches covers why signature-based detection alone isn't sufficient for zero-day threats.
The Bigger Picture
Three Chrome zero-days exploited in the wild in the first three months of 2026. Ninety across all vendors in 2025. AI accelerating both the discovery and weaponization of vulnerabilities. Malicious extensions reaching hundreds of thousands of enterprise users through the official Chrome Web Store.
The pattern is clear: the tools we rely on most are becoming the tools attackers target most. Browsers sit at the center of nearly every business workflow—email, cloud applications, collaboration platforms, financial systems. That centrality makes them extraordinarily valuable targets.
For businesses, the takeaway isn't panic—it's process. The organizations that weather this environment will be the ones with rapid patching workflows, managed browser environments, and the assumption that the next zero-day is a matter of when, not if.
As we explored in our guide on how to prevent zero-day attacks, defense against unknown vulnerabilities isn't about predicting which flaw comes next. It's about building the operational resilience to respond quickly when it does.
If you're unsure whether your organization's patching and browser security posture can keep up with the current pace of threats, that uncertainty itself is a signal worth acting on.
This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to assess their specific circumstances and develop appropriate protective measures.