CISA warns of two Chrome zero-days under active attack, and one fix arrived a day later

CISA has added two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog after Google confirmed both bugs were being used in real-world attacks. The flaws, tracked as CVE-2026-3909 and CVE-2026-3910, affect core Chromium components and can be triggered through a crafted HTML page. Federal agencies must apply fixes by March 27, 2026.

The update timeline matters here. Google first pushed Chrome 146.0.7680.75/76 on March 12, but then revised that advisory on March 13 to say CVE-2026-3909 was not actually fixed in that build and would need a future update. Google released that follow-up patch on March 13 as Chrome 146.0.7680.80, which addressed CVE-2026-3909. In other words, users needed more than the first emergency update to fully cover both zero-days.

Google described CVE-2026-3910 as an inappropriate implementation issue in V8, Chrome’s JavaScript engine, and said an exploit for it exists in the wild. It described CVE-2026-3909 as an out-of-bounds write in Skia, the graphics engine used by Chrome and related products, and also said that flaw was being exploited in the wild. Both bugs were reported by Google Threat Analysis Group on March 10.

This is not just a Chrome desktop story. Google’s March 16 Long Term Support Channel update for ChromeOS also listed both CVE-2026-3909 and CVE-2026-3910 among the included security fixes, showing that the patching effort extends beyond the standard desktop browser. That means organizations should check ChromeOS fleets and any Chromium-based products that depend on the same vulnerable code.

What the two Chrome zero-days do

CVE-2026-3909 is an out-of-bounds write in Skia. CISA says it could allow a remote attacker to perform out-of-bounds memory access by getting a user to visit a crafted HTML page. This class of flaw can lead to memory corruption and can become highly valuable when chained with other bugs.

CVE-2026-3910 affects V8 and involves improper restriction of operations within the bounds of a memory buffer. Google’s advisory says the flaw can be exploited in the wild, and NVD notes it could allow code execution inside a restricted browser sandbox. That still gives attackers a powerful foothold, especially when paired with another escape or privilege escalation bug.

Chrome 0-day timeline

Why this warning matters

CISA only adds vulnerabilities to the KEV catalog when there is evidence of active exploitation. That gives defenders a useful signal. These are not theoretical bugs sitting in a backlog. Attackers are already using them, and federal agencies now have a hard remediation deadline.

The other important detail is patch confusion. Anyone who updated on March 12 may have believed they were fully protected, but Google later said the first advisory incorrectly included CVE-2026-3909. Systems that stopped at version 146.0.7680.75/76 would still need the later 146.0.7680.80 update to close both zero-days on desktop Chrome.

What users and admins should do

• Update Chrome on Windows, macOS, and Linux to version 146.0.7680.80 or later.
• Check ChromeOS devices for the March 16 LTS security update if they are on managed enterprise channels.
• Update other Chromium-based browsers after their vendors ship corresponding fixes. This article confirms the Chromium bugs, but each browser vendor rolls out patches on its own schedule.
• Treat any system still on the March 12 desktop build as potentially missing the CVE-2026-3909 fix.
• Push updates quickly across managed fleets because CISA considers both flaws actively exploited.

FAQ