Full Report
Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The list of vulnerabilities is as follows - CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML
Analysis Summary
# Vulnerability: Google Chrome Zero-Day Flaws in Skia and V8
## CVE Details
- **CVE ID:** CVE-2026-3909 and CVE-2026-3910
- **CVSS Score:** 8.8 (High)
- **CWE:**
- CVE-2026-3909: CWE-787 (Out-of-bounds Write)
- CVE-2026-3910: Inappropriate Implementation
## Affected Systems
- **Products:** Google Chrome and Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi).
- **Versions:** Versions prior to 146.0.7680.75.
- **Configurations:** Systems processing untrusted web content (HTML pages).
## Vulnerability Description
Google has addressed two distinct high-severity flaws:
1. **CVE-2026-3909:** Resides in the **Skia 2D graphics library**. It is an out-of-bounds write vulnerability that allows a remote attacker to perform unauthorized memory access.
2. **CVE-2026-3910:** Resides in the **V8 JavaScript and WebAssembly engine**. It involves an "inappropriate implementation" that allows a remote attacker to execute arbitrary code within the browser's sandbox environment.
## Exploitation
- **Status:** Exploited in the wild (Zero-day).
- **Complexity:** Low (Triggered via interaction with a crafted page).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential for memory reading and data theft).
- **Integrity:** High (Ability to execute code or modify memory).
- **Availability:** High (Potential for browser crashes or system instability).
## Remediation
### Patches
Users should update to the following versions or later:
- **Windows / macOS:** 146.0.7680.75/76
- **Linux:** 146.0.7680.75
### Workarounds
No specific functional workarounds are provided; immediate patching is the primary recommendation. Users should avoid visiting untrusted websites until the update is applied.
## Detection
- **Indicators of Compromise:** Unusual browser crashes or unexpected behavior when loading specific web pages.
- **Detection Methods:** Vulnerability scanners should check for Chrome build versions lower than 146.0.7680.75. Defensive tools (EDR/AV) may detect post-exploitation activity following a sandbox escape.
## References
- **Google Chrome Release Blog:** hxxps[://]chromereleases[.]googleblog[.]com/2026/03/stable-channel-update-for-desktop_12[.]html
- **CVE Records:**
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-3909
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-3910
- **Advisory Source:** hxxps[://]thehackernews[.]com/2026/03/google-fixes-two-chrome-zero-days[.]html