Security Alert: Chrome fixes two zero- critical days already exploited that affect Skia and V8

Google has launched a security update for Chrome that fixes two critical failures that, according to the company itself, are already being exploited by attackers in real environments. These are two high-gravity vulnerabilities that affect key browser components: the Skia graphic bookstore and the JavaScript / WebAssembly V8 engine.

The first of the failures, recorded as CVE-2026-3909, corresponds to an off-limits writing error in Skia, the 2D library Chrome uses to draw graphics. In simple terms, an attacker can create a manipulated HTML page so that the browser tries to read or write memory outside the intended area, which can cause unexpected behavior or make it easier for malicious code to interfere with normal browser execution.

The second problem, CVE-2026-3910, affects V8 and has been described as an inappropriate implementation that allows an attacker to run arbitrary code within the confined browser environment by means of a website prepared for that purpose. In short, this means that a well-designed explosion could remove the security barriers that usually isolate the code from the user's system page.

Both vulnerabilities have a high CVSS score (8.8) and, according to Google, were detected internally and reported on March 10, 2026. The company has confirmed that there are active exploits for these nature failures, but, as usual in these cases, it has not shared technical details about its operation or who might be behind the abuses to prevent more malicious actors from replicating them. The official Google note on the update is available on your Chrome version blog: Stable Channel Update for Desktop.

This intervention comes weeks after a similar gravity correction in the CSS component of the browser, identified as CVE-2026-2441, which brings to three the number of cero-days actively exploited that Google has patched since the beginning of the year. This pattern emphasizes that browsers remain a priority target for actors seeking to compromise devices through simple visits to manipulated web pages.

To protect yourself, Google recommends updating Chrome to the 146.0.7680.75 / 76 versions on Windows and macOS, and to 146.0.7680.75 on Linux. The fastest way to check if you already have the patch is to open Chrome, go to More > Help > Information from Google Chrome and allow the browser to restart after downloading the update. The official help page of Google explains this process in more detail: How to update Google Chrome.

If you use browsers built on Chromium, such as Microsoft Edge, Brave, Opera or Vivaldi, it is advisable to keep an eye on your own updates: many of the corrections for Chromium are then incorporated into these projects, but the deployment times may vary between suppliers. Keeping the browser updated is the most effective and simple measure against this type of threat.

In addition to applying the update as soon as possible, it is appropriate to maintain basic good practices that reduce risk: avoid clicking on suspicious links, not visiting sites of dubious origin, limit the installed extensions to those strictly necessary and keep the operating system and security software up to date. Although not always perfect practices, these measures help to mitigate exposure while manufacturers launch patches.

The fact that Google has had to correct several cero- days in a short time is a reminder that the threat landscape is evolving rapidly. Update now and restart the browser may be the difference between spending a normal day and dealing with a security incident. Maintaining a proactive mentality against updates and digital hygiene remains the best defense.