Emergency Chrome 146 update patches 2 zero-day vulnerabilities
Summary created by Smart Answers AI
In summary:
- PCWorld reports that Google has released an emergency Chrome 146 update fixing two zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) actively exploited by attackers.
- The update fixes 29 security vulnerabilities in total, including critical vulnerabilities in the Skia graphics library and the V8 JavaScript engine that pose high risks to users.
- Users should immediately update to Chrome versions 146.0.7680.75/76 via manual check, as these vulnerabilities are actively exploited in real-world attacks.
In the new Chrome versions 146.0.7680.75/76 for Windows and macOS and 146.0.7680.75 for Linux, the developers have fixed two security vulnerabilities. According to Google, both vulnerabilities are already being exploited for wild attacks. This update comes just a day after Chrome versions 146.0.7680.71/72 for Windows and macOS and 146.0.7680.71 for Linux, which fixed 29 other vulnerabilities.
In the Chrome Releases blog post, Srinivas Sista lists the two security vulnerabilities that have just been fixed. They were discovered internally on February 10 and are classified as high risk.
Typically, Chrome updates automatically when a new version is available. But if you don’t have it yet, you can manually trigger the update via the menu item Help > About Google Chrome.
Zero Day Security Breaches
The first zero-day security vulnerability is a bug in the Skia graphics library (CVE-2026-3909) that allows write access to memory addresses outside the bounds of a predefined buffer (“out-of-bounds write”).
The second zero-day vulnerability (CVE-2026-3910) is found in the V8 JavaScript engine, described as an “inappropriate implementation.” It’s unclear what exactly was poorly implemented and why it’s such a problem.
Google remains discreet about the nature and scale of attacks exploiting these vulnerabilities.
Important: Whether you keep your browser up to date, you need proper antivirus protections if you want to keep your PC secure and private. Check out our selection of the best antivirus software for Windows as well as the best VPN services to stay ahead of security concerns.
What else is fixed in Chrome 146?
Two days earlier, on March 10, Google released the new major version of Chrome 146, which you can learn about in this Chrome Releases blog post. This update fixed 29 security vulnerabilities, almost all of which were reported by external security researchers.
One of the vulnerabilities (CVE-2026-3913) is classified as critical, it concerns a buffer overflow in the WebML component. Tobias Wienand, the discoverer of this vulnerability, was rewarded $33,000 for it. He also received an additional $43,000 for CVE-2026-3915, another WebML buffer overflow (although this one is only rated as high risk).
Eleven security vulnerabilities were identified as high risk and eleven others as medium risk. Google has so far awarded more than $200,000 to those who discovered these vulnerabilities. In some cases, Google has not yet determined the amount of their respective rewards.
This article was originally published on our sister publication PC-WELT and has been translated and localized from German.
