Overview
- Google corrected its Friday out‑of‑cycle patch after acknowledging the Skia flaw (CVE-2026-3909) was not actually fixed, releasing 146.0.7680.80 for Windows, macOS and Linux, and 146.0.7680.119 for Android.
- The actively exploited bugs include an out‑of‑bounds write in Skia (CVE-2026-3909) and an “inappropriate implementation” in the V8 JavaScript engine enabling sandboxed code execution (CVE-2026-3910).
- Users are urged to update immediately, with desktop builds available via Chrome’s About panel; Android protection depends on staggered Google Play rollouts that may take days to reach all devices.
- Google is withholding technical details and indicators of compromise for now, disclosing only that exploits exist in the wild and providing no scope or attribution for the attacks.
- Earlier in the week, Chrome 146 closed 29 vulnerabilities, including a critical WebML overflow (CVE-2026-3913), with external researchers credited and bounties exceeding $200,000, while other Chromium‑based browsers work to ship matching fixes.