Secure Cyber Vulnerability Management

16/03/2026
Qualys-Threat-Protect

Google Patches Two Chrome Vulnerabilities Exploited in the Wild (CVE-2026-3909 & CVE-2026-3910)

by Deepanshu Jha

Google released fixes to address two zero-day vulnerabilities impacting its Chrome browser. Tracked as CVE-2026-3909 & CVE-2026-3910, both vulnerabilities have been assigned a high severity rating with a CVSS score of 8.8. Both vulnerabilities were discovered and reported by Google itself on March 10, 2026.

CISA also acknowledged the active exploitation of the vulnerabilities and added them to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerabilities before March 27, 2026.

CVE-2026-3909

An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.

CVE-2026-3910

An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

This development comes less than a month after Google fixed a high-severity use-after-free vulnerability, tracked as CVE-2026-2441 in Chrome’s CSS component. The vulnerability has also been exploited as a zero-day. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

Affected Versions

The vulnerability affects Google Chrome versions before 146.0.7680.80.

Mitigation

Customers must upgrade to the latest stable channel version 146.0.7680.80 for Windows/Mac and 146.0.7680.80 for Linux.

For more information, please refer to the Google Chrome Release Page for CVE-2026-3909 & CVE-2026-3910.

Qualys Detection

Qualys customers can scan their devices with QIDs 386790 & 386791 to detect vulnerable assets.

Rapid Response with TruRisk™ Eliminate

Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html

Comments are closed.

You may also like