In a swift response to emerging threats, Google has released an urgent update for Chrome, version 146, to address two critical zero-day vulnerabilities. These flaws, identified as CVE-2026-3909 and CVE-2026-3910, were actively exploited and demanded immediate attention.
Details of the Security Flaws
The vulnerabilities, both carrying a CVSS score of 8.8, were detected by Google on March 10. CVE-2026-3909 is attributed to an out-of-bounds write issue within the Skia graphics library. This defect allows malicious HTML pages to corrupt memory, potentially leading to unauthorized code execution or system crashes.
On the other hand, CVE-2026-3910 involves an improper implementation flaw in the V8 JavaScript engine. This weakness can be exploited to create malicious HTML pages, enabling arbitrary code execution. Such vulnerabilities are often leveraged in sandbox escape attacks, posing significant security risks.
Patch Deployment and Impact
Google has not disclosed the specifics of the attacks exploiting these vulnerabilities so far. However, the security patches are now available in Chrome versions 146.0.7680.75/76 for Windows and macOS, and version 146.0.7680.75 for Linux. Additionally, the fixes have been included in Chrome for Android version 146.0.76380.115.
This emergency update was deployed merely two days after Chrome 146 reached the stable channel, which included resolutions for 29 different security flaws. These ranged from a critical bug in WebML to various high-severity issues across components such as Web Speech and Extensions.
Incentives for Security Researchers
In recognition of contributions to its security efforts, Google has awarded approximately $210,000 in bounty rewards to researchers who identified these vulnerabilities. The company noted that the actual total could be higher, as payouts for 10 vulnerabilities were not disclosed.
Notably, security expert Tobias Wienand was awarded $76,000 for discovering two issues in WebML. Additional rewards of $43,000 and $36,000 were given to researchers who found high-severity flaws in WebML and Web Speech, respectively.
As Google continues to enhance browser security, users are advised to promptly update to the latest version of Chrome to safeguard against potential threats.
