Threat actors are exploiting two high severity zero day vulnerabilities in the Chrome browser that experts say IT teams must patch immediately.
Google has issued emergency patches for the two holes, CVE-2026-3909 and CVE-2026-3910. This comes just days after the release of 29 fixes for holes as part of March Patch Tuesday, and a zero day patch released in February. Affected are browsers before version 146.0.7680.75.
These exploits provide yet another reason why infosec leaders need to ensure there’s a corporate patching strategy in place for all authorized browsers and plugins.
“If you’re not managing browser patches, your odds of getting pwned are increasing daily,” said David Shipley of Canadian-based security awareness training provider Beauceron Security.
CVE-2026-3910 allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, because of an inappropriate implementation within Chrome’s V8 JavaScript and WebAssembly engine. CVE-2026-3909 allows a remote attacker to perform out of bounds memory access via a crafted HTML page; the cause is an out of bounds write in Chrome’s Skia graphics library. Accessing browser memory could result in the loss of sensitive corporate information, noted Shipley.
Following company policy, Google isn’t releasing details about the bugs until a majority of users are updated with a fix.
Browsers a prime target
Browsers are a prime target for threat actors because they are a tool everyone online uses. A 2025 report by Omdia for Palo Alto Networks estimated that, in a 12 month period, 95% of organizations suffered a security incident originating from an employee’s browser.
Because of this, one expert has noted that adversaries now target the browser directly, with attacks like cross-site scripting (XSS), session hijacking via stolen tokens, and advanced phishing that bypasses traditional MFA. A browser-centric zero trust framework is the necessary response, he argued.
[Related content: Picking a secure enterprise browser]
These new flaws underscore the reason why browser engines remain among the most attractive targets for attackers, noted Jack Bicer, director of vulnerability research at Action1. “With active exploitation already confirmed, organizations that delay updates risk exposing users to drive-by attacks delivered through compromised or malicious websites.”
Chromium and all Chromium-based browsers, including Chrome, Edge, and others, must be updated to the latest security versions as soon as possible, he said. Admins should also ensure that automatic updates are enabled across enterprise endpoints, monitor for outdated browser versions, and consider browser isolation technologies to reduce exposure to web-based attacks.
Scott Caveza, senior staff research engineer at Tenable, agreed that the latest two zero days should be on the radar of any organization where Chrome is actively installed. While Google hasn’t provided details on the abuse of these flaws, he noted that most browser-related exploits do require a victim to visit a crafted website, making attacks more likely to be targeted.
Fortunately, he added, updating Chrome is fast and easy, and many installations leave automatic updates enabled.
“We know attackers are opportunistic, and when they set their sights on one of the most widely installed browsers in the market, it’s imperative that teams are taking action now to ensure updates are applied as soon as possible,” he said.
