Vulnerabilities Chrome 146 Update Patches Two Exploited Zero-Days The flaws can be exploited to manipulate data and bypass security restrictions, potentially leading to code execution. By Ionut Arghire | March 13, 2026 (3:47 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Google on Thursday announced an emergency Chrome 146 update that resolves two zero-day vulnerabilities exploited in the wild. The two high-severity issues, tracked as CVE-2026-3909 and CVE-2026-3910 (CVSS score of 8.8), were found by Google on March 10. “Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild,” the internet giant notes in its advisory . CVE-2026-3909 is described as an out-of-bounds write defect in the Skia graphics library. It could be triggered via malicious HTML pages to corrupt memory, which could lead to arbitrary code execution or crashes. CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine that could allow attackers to craft malicious HTML pages and execute arbitrary code. V8 flaws are often targeted in sandbox escape attacks. Google has not provided details on the exploitation of these vulnerabilities, but Chrome bugs found by Google are often targeted by commercial spyware vendors. Advertisement. Scroll to continue reading. Both security defects were resolved in Chrome versions 146.0.7680.75/76 for Windows and macOS, and in version 146.0.7680.75 for Linux. Fixes for the bugs were also included in Chrome for Android version 146.0.76380.115. The emergency security update was rolled out two days after Chrome 146 was promoted to the stable channel with fixes for 29 flaws. These included a critical bug in WebML, high-severity issues in WebML, Web Speech, Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, and WindowDialog, and over a dozen medium- and low-severity vulnerabilities. Google said it paid roughly $210,000 in bounty rewards to the researchers who reported the bugs. Still, the final amount might be much higher, as it did not disclose the amounts paid for 10 vulnerabilities. The internet giant awarded security researcher Tobias Wienand $76,000 for reporting two WebML issues. It also paid $43,000 and $36,000 to the two researchers who found high-severity bugs in WebML and Web Speech, respectively. Related: Google Plans Two-Week Release Schedule for Chrome Related: Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant Related: Google Working Towards Quantum-Safe Chrome HTTPS Certificates Related: Google Patches First Actively Exploited Chrome Zero-Day of 2026 Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 238,000 Impacted by Bell Ambulance Data Breach Scanner Raises $22 Million for AI-Powered Threat Hunting Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Quantro Security Emerges From Stealth With $2.5 Million in Funding Microsoft Patches 83 Vulnerabilities Adobe Patches 80 Vulnerabilities Across Eight Products SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Escape Raises $18 Million to Automate Pentesting Latest News Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks The Human IOC: Why Security Professionals Struggle with Social Vetting Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. Netskope has appointed Joseph Welsh as leader of US public sector sales. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email