By ByteBot
Google released emergency Chrome updates in March 2026 to patch two zero-day vulnerabilities under active exploitation. CVE-2026-3909 targets Skia’s graphics library, while CVE-2026-3910 exploits the V8 JavaScript engine. Both vulnerabilities affect 3 billion Chrome users worldwide and carry CVSS scores of 8.8. CISA added both to its Known Exploited Vulnerabilities catalog on March 13, mandating federal agencies to patch by March 27. If you’re running Chrome, update to version 146.0.7680.80 immediately—attackers are already using these exploits.
Why These Vulnerabilities Matter
The attack vector is disturbingly simple: visit a malicious webpage, and the exploit triggers. No additional user interaction required. CVE-2026-3909 enables out-of-bounds memory writes through Skia, Google’s 2D graphics library that handles text rendering, shapes, images, and UI elements across Chrome, Android, and Flutter. When an attacker crafts an HTML page to exploit this flaw, they can corrupt memory and potentially achieve remote code execution.
CVE-2026-3910 targets V8, the JavaScript engine powering Chrome, Node.js, and Deno. This type confusion vulnerability allows arbitrary code execution inside the browser sandbox. V8 uses Just-In-Time (JIT) compilation to optimize JavaScript performance by making assumptions about data types. When attackers poison V8’s inline cache with crafted JavaScript—often using Proxy or WeakMap objects—the engine misinterprets object types, treating a number as an array or vice versa. This triggers heap buffer overflows and creates conditions for code execution.
V8 and Skia: Chrome’s Recurring Weak Points
V8 vulnerabilities accounted for 50% of Chrome’s zero-days in 2025—four out of eight total. Google patched CVE-2025-2783 (a sandbox escape used in espionage against Russian targets), CVE-2025-4664 (account hijacking), CVE-2025-5419 and CVE-2025-6558 (code execution), CVE-2025-10585 (type confusion), and CVE-2025-13223. Now in Q1 2026, we’re already at two zero-days, putting Chrome on pace to match or exceed 2025’s total.
The root cause is architectural. Both V8 and Skia are written in C++, a language without memory safety guarantees. Chrome’s codebase spans 10+ million lines of C++, and memory corruption bugs account for 70% of Chrome vulnerabilities. V8’s JIT compilation adds complexity: performance optimizations require type assumptions, and those assumptions create attack opportunities. Skia handles untrusted web content constantly, processing images and graphics from any webpage a user visits.
Government Response and Industry Implications
CISA’s addition of CVE-2026-3909 and CVE-2026-3910 to the KEV catalog signals the severity of these threats. Under Binding Operational Directive (BOD) 22-01, federal agencies must remediate by March 27, 2026. This isn’t bureaucratic theater—CISA only adds vulnerabilities with confirmed active exploitation that pose significant risk to federal networks.
The broader 2025 zero-day landscape saw 90 vulnerabilities exploited in-the-wild across all products, down from 100 in 2023 but up from 78 in 2024. While browser exploitation decreased overall, browsers remain critical infrastructure. Three billion Chrome users represent a massive attack surface, and the trend shows attackers targeting core browser components like V8 and Skia with increasing sophistication.
What You Need to Do
Update Chrome immediately. Navigate to chrome://settings/help to verify you’re running version 146.0.7680.80 or later. Restart your browser after the update completes. If you use Chromium-based browsers like Microsoft Edge, Opera, or Brave, update those as well—they inherit Chromium vulnerabilities.
Organizations should deploy this update across all endpoints before CISA’s March 27 deadline. The emergency patch also includes 26 additional security fixes affecting WebGL, WebRTC, Blink, ANGLE, CSS, PDFium, and the Network stack, demonstrating the breadth of Chrome’s attack surface.
For developers, this is a reminder that browser security is everyone’s problem. Don’t rely solely on browser sandboxes for application security—implement defense-in-depth strategies. Monitor Chrome security bulletins and understand the browser security model. When Google releases emergency patches for actively exploited vulnerabilities, deployment speed matters.
The Memory Safety Question
Google is exploring Rust for new Chrome components, and the industry is slowly acknowledging that memory-safe languages could prevent 70% of current vulnerabilities. But rewriting 10 million lines of C++ isn’t practical in the short term. The hybrid approach—new code in Rust, legacy code in C++—is pragmatic but incomplete. Memory-safe browsers remain years away.
Until then, the zero-day arms race continues. V8 and Skia will remain targets because they’re complex, written in C++, and fundamental to how browsers work. Active exploitation is the new normal. Browser updates aren’t optional—they’re critical infrastructure maintenance.
