Chrome fixes two actively exploited zero-days, and users should update now

Google has pushed an emergency Chrome security update after confirming that two high-severity flaws have active exploits in the wild. The patched desktop versions are 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux. Google says the rollout will continue over the coming days and weeks.

The two vulnerabilities are CVE-2026-3909, an out-of-bounds write in Skia, and CVE-2026-3910, an inappropriate implementation issue in V8. Google says both bugs were reported internally on March 10, 2026, and that exploits for both already exist in the wild. That makes this a high-priority update for regular users, businesses, schools, and managed fleets.

In plain terms, this means attackers may have been able to use malicious web content to abuse browser memory handling or JavaScript processing. Google has not published deeper technical details yet, which is normal for active security issues. The company says it keeps bug details and links restricted until more users receive the fix.

Chrome users should not wait for the automatic rollout in higher-risk environments. Google’s own update guidance says desktop users can force the check from Chrome’s menu, then restart the browser to finish the install.

What Google fixed

Skia matters because Chrome uses it to render graphics and other visual content. Memory corruption bugs in rendering components can become serious when attackers find a reliable way to trigger them through a crafted page or asset. V8 matters for the same reason. It powers JavaScript and WebAssembly, which run constantly during normal browsing.

Google did not say how widespread the attacks are, who is behind them, or whether the exploits target consumers, enterprises, or both. Still, the wording on the official release page leaves little room for doubt: the exploits exist, and the fixes are already shipping.

For most users, the immediate task is simple. Update Chrome, relaunch it, and make sure the version number matches the patched release for your platform. For IT teams, this is a patching and verification job, especially on devices where users leave browsers open for long stretches. Google’s enterprise documentation also notes that admins can manage Chrome update behavior through policy.

How to update Chrome right now

• Open Chrome
• Click the three-dot menu
• Go to Help
• Click About Google Chrome
• Let Chrome check for updates
• Click Relaunch if that option appears
• Reopen your tabs after restart

Google says if you do not see the relaunch option, your browser is already up to date. The company also notes that pending updates often install only after users close and reopen Chrome.

What organizations should do

• Push the patched build as soon as possible
• Confirm endpoints actually restarted after the update
• Check policy settings that may delay browser updates
• Prioritize high-risk users such as admins, finance teams, and executives
• Watch for users running older Chrome builds that stayed open for days

This incident also highlights a familiar security pattern. Browser zero-days move fast because browsers sit at the edge of daily work. They process untrusted content all day, and attackers know that one successful web-based exploit can open a door to bigger compromises.

Why this update matters

Chrome already shipped version 146 to stable on March 10, 2026, with a large batch of security fixes. Just two days later, Google issued this smaller desktop stable update specifically to address these two newly listed high-severity issues. That rapid follow-up shows the company treated the pair as urgent.

Users who rely on Chrome for work should update even if they already installed Chrome 146 earlier this week. The protected version is the newer 146.0.7680.75/76 release on desktop, not the earlier 146.0.7680.71/72 release.

FAQ