Overview
- Google released Chrome 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux in an out‑of‑band update to block active attacks.
- CVE-2026-3909 is an out‑of‑bounds write in the Skia graphics library and CVE-2026-3910 is an inappropriate implementation in the V8 engine that can enable code execution.
- Both vulnerabilities can be triggered by a crafted web page, so users need to update and relaunch Chrome as the fixes roll out over the coming days and weeks.
- Google says it discovered and reported both flaws internally on March 10 and is restricting technical details until most users are protected.
- CISA added the two CVEs to its Known Exploited Vulnerabilities catalog with a March 27 remediation deadline for federal agencies, and other Chromium‑based browsers are expected to issue corresponding updates.