Google released fixes to address two zero-day vulnerabilities impacting its Chrome browser. Tracked as CVE-2026-3909 & CVE-2026-3910, both vulnerabilities have been assigned a high severity rating with a CVSS score of 8.8. Both vulnerabilities were discovered and reported by Google itself on March 10, 2026.
CISA also acknowledged the active exploitation of the vulnerabilities and added them to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerabilities before March 27, 2026.
CVE-2026-3909
An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-3909. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more.
CVE-2026-3910
An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
This development comes less than a month after Google fixed a high-severity use-after-free vulnerability, tracked as CVE-2026-2441 in Chrome’s CSS component. The vulnerability has also been exploited as a zero-day. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.
Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-3910. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more.
Affected Versions
The vulnerability affects Google Chrome versions before 146.0.7680.80.
Mitigation
Customers must upgrade to the latest stable channel version 146.0.7680.80 for Windows/Mac and 146.0.7680.80 for Linux.
For more information, please refer to the Google Chrome Release Page for CVE-2026-3909 & CVE-2026-3910.
Microsoft has released the Microsoft Edge Stable Channel (Version 146.0.3856.62) to address CVE-2026-3909, which the Chromium team has reported as being exploited in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 386792, 386790, 386809, and 386791 to detect vulnerable assets.
Rapid Response with TruRisk™ Eliminate
Qualys TruRisk Eliminate and its Zero-Touch Patching feature provide a seamless, automated process for patching vulnerabilities like this.
Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This streamlines the patching process and ensures vulnerabilities are addressed promptly.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_13.html
