CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Chrome 146 Update Patches Two Exploited Zero-Days

The flaws can be exploited to manipulate data and bypass security restrictions, potentially leading to code execution. The post Chrome 146 Update Patches Two Exploited Zero-Days appeared first on SecurityWeek.

Chrome security

Google on Thursday announced an emergency Chrome 146 update that resolves two zero-day vulnerabilities exploited in the wild.

The two high-severity issues, tracked as CVE-2026-3909 and CVE-2026-3910 (CVSS score of 8.8), were found by Google on March 10.

“Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild,” the internet giant notes in its advisory.

CVE-2026-3909 is described as an out-of-bounds write defect in the Skia graphics library. It could be triggered via malicious HTML pages to corrupt memory, which could lead to arbitrary code execution or crashes.

CVE-2026-3910 is an inappropriate implementation weakness in the V8 JavaScript engine that could allow attackers to craft malicious HTML pages and execute arbitrary code. V8 flaws are often targeted in sandbox escape attacks.

Google has not provided details on the exploitation of these vulnerabilities, but Chrome bugs found by Google are often targeted by commercial spyware vendors.

Both security defects were resolved in Chrome versions 146.0.7680.75/76 for Windows and macOS, and in version 146.0.7680.75 for Linux. Fixes for the bugs were also included in Chrome for Android version 146.0.76380.115.

The emergency security update was rolled out two days after Chrome 146 was promoted to the stable channel with fixes for 29 flaws.

These included a critical bug in WebML, high-severity issues in WebML, Web Speech, Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, and WindowDialog, and over a dozen medium- and low-severity vulnerabilities.

Google said it paid roughly $210,000 in bounty rewards to the researchers who reported the bugs. Still, the final amount might be much higher, as it did not disclose the amounts paid for 10 vulnerabilities.

The internet giant awarded security researcher Tobias Wienand $76,000 for reporting two WebML issues. It also paid $43,000 and $36,000 to the two researchers who found high-severity bugs in WebML and Web Speech, respectively.

Update: Google on Friday clarified that the fixes for CVE-2026-3909 were included in Chrome version 146.0.7680.80 for Windows and macOS, and in version 146.0.7680.80 for Linux.

Related: Google Plans Two-Week Release Schedule for Chrome

Related: Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant

Related: Google Working Towards Quantum-Safe Chrome HTTPS Certificates

Related: Google Patches First Actively Exploited Chrome Zero-Day of 2026

Latest News

CYBERNEWSMEDIAPublisher