Chrome Security Alert launches emergency patch for two already exploited zero day failures

Google has deployed an emergency update for Chrome that fixes two high-gravity vulnerabilities that are already being exploited in zero-day state. In its official notice, the company recognizes that there is evidence of active exploitation of both failures and has released patches for stable desktop versions on Windows, macOS and Linux.

One of the faults comes from an off-limits writing in Skia the open source library responsible for rendering 2D in multiple projects, including Chromium. This type of error - known as out-of-bounds write - can cause the browser to block or, at worst, allow arbitrary code execution if an attacker manages to manipulate the affected memory. Skia is a critical component in the rendering chain, so any defect in your management of graphic objects can have serious implications for browser security. More information on the technical nature of this type of weakness is available in the relevant CWE description in MITRE and on the page of the Skia project itself in skia.org.

The other vulnerability affects the V8 engine, responsible for running JavaScript and WebAssembly. Google describes it as an inadequate implementation problem in V8 that could be exploited to compromise the security of code execution in the browser. V8 is the piece that interprets and optimizes the web code that most modern pages and applications use; therefore, errors in its logic can open very valuable doors for persistent attackers. The V8 project maintains documentation and resources in v8.dev.

Google has not published detailed technical details on specific operating incidents, on the grounds that it restricts access to sensitive information until most users have received the patch or when third party libraries sharing the same vulnerability have also been corrected. This practice seeks to prevent more attackers from creating exploits before equipment and users are updated.

The versions with the patch already published for the stable channel are 146.0.7680.75 on Windows, 146.0.7680.76 on macOS and 146.0.7680.75 on Linux. Google urgently distributed the update and, although it warns that full deployment may take days or weeks to reach all users, some analyses and checks - such as those made by specialized means - have detected the patch available immediately on several teams.

If you use Chrome, the most practical and secure thing is to update as soon as possible and restart the browser. You can force an update check from the Chrome menu or let your own automatic update settings do the work and install the patch in the next browser start. Having the automatic updates activated reduces the time a vulnerable browser remains exposed.

It is important to remember that many Chromium-based browsers share components such as Skia and V8. This means that, when a failure is discovered in these elements, other implementations that incorporate them can also be affected and will need to publish their own patches. This is why attention should be paid to the updates of alternative browsers and to the security warnings of their developers.

This pair of corrections is added to other "zero-days" arranged by Google in so far as the year goes. By the beginning of February, another actively exploited vulnerability related to the implementation of values of typographic characteristics in CSS had already been corrected. In 2025 the company closed eight zero-day failures exploited in real environments, many of them reported by its Threat Analysis Group (TAG), the internal team that tracks and analyses sophisticated threats. To check Google's notice about Chrome updates you can see the official release on the Chromium release blog at chromerease.googleblog.com.

The error-hunting ecosystem also remains active: Google recently reported millions of payments to researchers who reported vulnerabilities through its reward program. If you are interested in how bug bounce initiatives work and where to report bugs, the official page of the program is on bughunters.google.com.

What can users do besides update? Maintaining the operating system and up-to-date applications reduces the attack surface; avoiding opening unknown links or files and not allowing unverified source facilities reduces the risk of falling into operating techniques that start outside the browser. For corporate environments, measures such as the centralized application of patches, the use of endpoints management tools and network segmentation help contain possible intrusions. Media and security BleepingComputer They often cover this type of alert quickly and can be used to monitor the evolution of the incident.

In short, these are two serious and actively exploited failures that have received urgent correction. The main recommendation is to update Chrome as soon as possible and keep automatic updates active, because in safety many times the difference between being exposed or protected is simply accepting and installing a patch on time.