Overview
- The flaws, tracked as CVE-2026-3909 in Skia and CVE-2026-3910 in the V8 engine, can be triggered by crafted web pages and may lead to code execution.
- Fixes are rolling out as Chrome 146.0.7680.75/76 on Windows and macOS and 146.0.7680.75 on Linux, with Chrome for Android updated to 146.0.76380.115.
- Google discovered both issues in-house on March 10, assigned CVSS 8.8, and shipped patches within roughly two days.
- These are the second and third actively exploited Chrome zero‑days patched in 2026, following a CSS component bug fixed in February.
- Earlier this week, Chrome 146 also addressed 29 vulnerabilities including a critical WebML heap overflow (CVE-2026-3913), with Google awarding roughly $210,000 in bounties, and users are urged to update or restart to apply protections.