Google Issues Urgent Chrome Security Update After Two Dangerous Zero Day Flaws Found Under Active Attack

In a major cybersecurity alert affecting billions of internet users, Google has confirmed two critical zero day vulnerabilities in its Chrome browser that are already being exploited by attackers. The emergency disclosure has triggered an urgent global security update, putting an estimated 3.5 billion Chrome users on alert.

Security experts warn that these flaws could allow hackers to execute malicious code simply by convincing a user to visit a specially crafted website. Google has already released a patch, but the update will take time to reach all users. That means millions of devices could remain temporarily exposed if the browser is not updated quickly.

The warning comes as cyber threats continue to escalate worldwide, with browsers increasingly becoming the primary target for attackers seeking access to personal data, passwords, and financial information.

Google has identified the vulnerabilities as CVE 2026 3909 and CVE 2026 3910, both rated as high severity security flaws. The most concerning aspect is that these are zero day vulnerabilities, meaning attackers were already exploiting them before Google discovered and patched the issues.

Unlike most browser vulnerabilities, which are typically reported by independent security researchers, these flaws were discovered internally by Google’s own security team.

Because the exploits are active in the wild, Google has temporarily restricted detailed technical information about the vulnerabilities until the majority of users have installed the security update. This precaution is meant to prevent attackers from using the information to expand ongoing attacks.

Security analysts say this type of controlled disclosure is standard practice when dealing with zero day threats that could still affect millions of devices.

The first vulnerability, CVE 2026 3909, is described as an out of bounds memory vulnerability within Chrome’s graphics library known as Skia. This component is responsible for rendering parts of the browser interface and web content.

Memory related flaws are particularly dangerous because they can allow attackers to execute malicious code remotely.

In practical terms, a user could become a victim simply by visiting a malicious webpage. Once triggered, the flaw may allow hackers to run code on the system without the user realizing it.

Cybersecurity experts say such vulnerabilities are highly prized among attackers because they can potentially lead to full device compromise.

The second vulnerability, CVE 2026 3910, affects V8, the powerful JavaScript engine at the heart of Chrome. V8 processes JavaScript code used by modern websites and web applications.

According to vulnerability tracking platform OpenCVE, the issue involves an inappropriate implementation flaw that could allow a remote attacker to execute arbitrary code inside a browser sandbox through a specially crafted HTML page.

The JavaScript engine has historically been a frequent target for attackers because it handles complex code execution across millions of websites every day.

Even though Chrome uses sandboxing to isolate threats, sophisticated attackers can sometimes bypass these protections through vulnerabilities like this one.

The emergency patch follows a major Chrome security update released on March 10, which addressed 29 vulnerabilities. Just two days earlier, another update had already been released on March 3, highlighting the increasingly rapid pace of browser security fixes.

Google has also announced a shift in its update schedule. Starting with Chrome 153, stable security updates will move to a fortnightly release cycle, effectively doubling the frequency of security updates.

This change reflects the growing need for faster responses to emerging cyber threats targeting browsers and online services.

While the latest vulnerabilities were discovered internally, Google continues to rely heavily on its Vulnerability Reward Program to identify security flaws.

The program recently passed its 15 year milestone, and during that time Google has paid 81.6 million dollars to security researchers who responsibly disclose vulnerabilities.

In 2025 alone, payouts exceeded 17 million dollars, showing the scale of ongoing security research around Google products.

According to Google security officials Tony Mendez and Dirk Göhmann, the largest single bounty in 2025 was awarded to two researchers who discovered logic bugs within Chrome’s inter process communication mechanisms and demonstrated how they could be exploited.

More than 100 security researchers received a combined 3,716,750 dollars for vulnerabilities affecting Chrome last year.

Google has also expanded its reward programs to include vulnerabilities related to artificial intelligence systems, with 350,000 dollars already paid out through the AI vulnerability disclosure initiative.

Although Google has begun rolling out the emergency security update, it will not reach all users instantly. The company says the update will be distributed gradually over the coming days and weeks.

To stay protected, users should manually check for updates and restart their browser once the patch has been installed.

Users can do this by opening the Chrome menu, selecting Help, then choosing About Google Chrome, which automatically checks for updates and installs the latest version if needed.

The latest patched versions are reported as:

Windows and Mac
Version 146.0.7680.75 or 146.0.7680.76

Linux
Version 146.0.7680.75

Restarting the browser is essential because updates do not take effect until Chrome is relaunched.

While news of vulnerabilities can sound alarming, security experts say the rapid discovery and patching of flaws actually reflects the strength of Chrome’s security ecosystem.

Google’s collaboration with security researchers worldwide allows vulnerabilities to be detected and fixed before they can cause widespread damage.

Still, the latest incident serves as a reminder that keeping software updated remains one of the most important steps users can take to stay safe online.

With billions of people relying on Chrome every day, even a single vulnerability can quickly become a global security issue if updates are ignored.