> PATCH NOW —— CVE-2026-3909 + CVE-2026-3910 —— status: ACTIVELY EXPLOITED —— vector: crafted_webpage —— impact: code_execution —— action: UPDATE_CHROME_IMMEDIATELY<span class="cursor-blink">_</span>_
Google has confirmed that exploits for both CVE-2026-3909 and CVE-2026-3910 exist in the wild. These vulnerabilities can be exploited through a crafted web page — meaning an employee simply visiting a malicious website could result in credential theft, data exfiltration, or full system compromise. Update Chrome to version 146.0.7680.75 or later immediately.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| CVE | Component | Type | Impact |
|---|---|---|---|
| CVE-2026-3909 | Skia (2D graphics library) | Out-of-bounds write | Can crash the browser or enable arbitrary code execution within the renderer process. When chained with CVE-2026-3910, can achieve full admin access. |
| CVE-2026-3910 | V8 (JavaScript/WebAssembly engine) | Inappropriate implementation | A remote attacker can execute arbitrary code within a sandbox via a crafted HTML page. Can be used in drive-by attacks to steal credentials, session cookies, and sensitive data from the browser. |
The critical risk is the chaining potential. Individually, each vulnerability is serious. Together, they can be chained to break out of Chrome's sandbox and achieve full administrative access to the underlying system. This means that a single visit to a compromised or malicious website — a drive-by attack — could give an attacker complete control of the employee's workstation.
| Action | Detail |
|---|---|
| Update Chrome immediately | Ensure all Chrome installations across your estate are updated to version 146.0.7680.75 or later (Windows/Mac: 146.0.7680.75/76, Linux: 146.0.7680.75). Google is rolling out the update — force it through your device management solution if available. |
| Verify updates across your estate | If you manage multiple devices, verify that the update has been applied to all of them. Chrome's auto-update mechanism is generally reliable, but devices that have been offline, are behind restrictive proxies, or have auto-update disabled may not receive the patch automatically. |
| Check other Chromium-based browsers | Microsoft Edge, Brave, Opera, and other Chromium-based browsers share the same V8 and Skia components. Check for corresponding updates from each browser vendor. Do not assume that only Chrome is affected. |
| Review browser management policies | If you do not have centralised browser management — the ability to push updates and verify compliance across all devices in your estate — this is the moment to implement it. The frequency of browser zero-days makes unmanaged browsers an unacceptable risk. |
Browser zero-days are increasingly the weapon of choice for both criminal groups and state-sponsored actors. They require no user interaction beyond visiting a web page — no downloads, no attachments, no clicks on suspicious links. An employee browsing a legitimate website that has been compromised, or clicking a link in a convincing phishing email, is sufficient. The only defence is rapid, comprehensive patching.
Our vulnerability management assessments evaluate your organisation's ability to identify, prioritise, and deploy critical patches across your entire estate — including browsers, plugins, and endpoint software. When the next zero-day drops, will your patching keep pace?
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call