Chrome Zero-Day Alert: CVE-2026-3909 & CVE-2026-3910 Explained
You opened Chrome this morning, checked a few tabs, maybe clicked a link someone sent you. Nothing unusual. Nothing suspicious. And if your browser hadn't updated overnight, that routine moment could have been enough for an attacker to take over your computer.
On March 13, 2026, Google pushed an emergency update for Chrome after confirming that two serious security flaws were already being actively exploited — meaning real attackers, right now, are using these weaknesses to compromise real people's devices. Google discovered both flaws itself on March 10 and had patches out within two days. That speed tells you how serious this is.
The same day, the US government's cybersecurity agency CISA added both vulnerabilities to its official list of flaws being actively exploited in the wild — and gave all federal agencies a deadline of March 27 to patch. If you haven't updated Chrome yet, you're exposed to attacks that are happening today.
- CVE-2026-3909: Flaw in Chrome's graphics rendering engine (Skia) — CVSS 8.8 (High)
- CVE-2026-3910: Flaw in Chrome's JavaScript engine (V8) — CVSS 8.8 (High)
- Status: Both actively exploited in the wild — confirmed by Google
- Discovered: March 10, 2026 — by Google's own security team
- Patch released: March 13, 2026 — emergency out-of-band update
- CISA KEV: Added March 13, 2026 — federal deadline March 27
- Safe version: Chrome 146.0.7680.75 (Windows/Linux) or 146.0.7680.76 (macOS)
- 2026 Chrome zero-days so far: 3 (CVE-2026-2441 patched in February was the first)
- Attack method: Visiting a malicious webpage — no download, no click required
What "Zero-Day" Actually Means
A zero-day vulnerability is a security flaw that attackers are already exploiting before the software maker has had time to fix it. The term comes from the idea that developers have had "zero days" to prepare a defence.
In this case, Google found both flaws and fixed them itself — but the crucial detail is that someone was already using them to attack people. Google doesn't release emergency updates on a Thursday unless something is genuinely urgent. Their normal update cycle is every four weeks. When they break that pattern, it means the threat is real and active right now.
Google tracked 90 zero-day vulnerabilities actively exploited across all software in 2025 — up from 78 the year before. Chrome is consistently one of the most targeted applications because it's the front door to almost everything people do online.
The Two Flaws — What Broke and What It Means
Chrome is not one piece of software. It's dozens of specialised components working together — one handles graphics, one runs website code, one manages your tabs, one keeps web content isolated from the rest of your computer. Two of those components had serious flaws.
CVE-2026-3909 — The Graphics Flaw
Every time you visit a website, Chrome draws what you see on screen using a graphics system called Skia. Images, shapes, fonts, layouts — Skia renders all of it. This flaw caused Skia to write data into parts of the computer's memory it wasn't supposed to touch.
Think of computer memory as a row of locked boxes, each assigned to a specific task. This bug caused Chrome to write into the wrong box — a box belonging to something else entirely. In the right circumstances, an attacker can carefully arrange which box gets overwritten and with what content, steering that memory corruption toward running code of their choice.
CVE-2026-3910 — The JavaScript Engine Flaw
V8 is the part of Chrome that runs JavaScript — the programming language that powers almost every interactive element on every website you visit. Forms, buttons, videos, live search, shopping carts — all of it runs through V8.
This flaw allowed a malicious webpage to run code inside Chrome's protected area — a contained space where web content is supposed to be isolated from the rest of your computer. Think of it as a walled garden. This flaw lets attackers get their code running inside that garden.
Alone, neither flaw gives an attacker full control. Together, they form a chain. The graphics flaw corrupts memory to create an opening. The JavaScript flaw executes code through that opening. What starts as "visiting a webpage" ends with an attacker running software on your computer.
No download. No suspicious file. No warning. The attack happens entirely through the browser rendering a page — the same thing it does millions of times a day for billions of people.
How the Attack Happens in Practice
The victim doesn't have to do anything unusual. The attack just requires Chrome to load a page that contains hidden exploit code. There are several ways attackers get people onto that page:
Phishing emails — the most common delivery method. An email with a link that looks legitimate. One click opens the page, the page loads the exploit, the attack executes.
Watering holes — legitimate websites that have been quietly compromised. A news site, an industry forum, a supplier's portal. The visitor thinks they're doing something routine. The exploit fires in the background.
Malicious ads — adverts placed through real ad networks that load exploit code. No interaction required beyond the page loading with the ad visible.
Once the exploit chain completes, the attacker's code is running on the victim's computer under Chrome's permissions. From there, the practical consequences are serious:
Chrome stores everything — saved passwords, session cookies (the tokens that keep you logged in to websites), browser history, autofill data including addresses and card details. An attacker with code running inside Chrome doesn't need your password for your email or your bank. They already have the token that proves you're logged in. They can access those accounts directly.
Beyond Chrome's own data, with the right follow-up steps, the attacker can move from the browser onto the broader operating system — installing malware, creating persistent access, or using your machine as a foothold to reach other systems on the same network.
Why This Is Especially Relevant for Businesses
For individuals, a compromised browser is a serious privacy and financial risk. For businesses, it's potentially a network breach.
Most work today happens through a browser. Email, internal tools, HR systems, finance platforms, customer databases, cloud infrastructure — employees access nearly everything through Chrome. A compromised browser session is effectively a compromised identity. An attacker who hijacks a logged-in session doesn't need credentials — they step into an authenticated session as if they were the employee.
This is one of the reasons browser zero-days are so valuable to attackers. The browser is where corporate identity lives, and identity is what gives access to everything else.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | How It Applies |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | Victim visits a malicious or compromised page — no interaction beyond loading required |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Targeted delivery via email link to exploit page |
| Execution | T1203 | Exploitation for Client Execution | CVE-2026-3909 and CVE-2026-3910 chain triggers code execution via crafted HTML |
| Defense Evasion | T1211 | Exploitation for Defense Evasion | CVE-2026-3910 allows code execution inside Chrome's protected sandbox |
| Credential Access | T1539 | Steal Web Session Cookie | Post-exploitation access to Chrome's stored session tokens — no password needed |
| Credential Access | T1555.003 | Credentials from Password Stores: Web Browsers | Saved passwords, autofill data accessible from compromised browser process |
| Collection | T1185 | Browser Session Hijacking | Active authenticated sessions in SaaS apps, email, and cloud platforms hijacked directly |
| Persistence | T1176 | Browser Extensions | Malicious extension installed post-exploitation to maintain access and monitor future sessions |
| Lateral Movement | T1550.004 | Use Alternate Authentication Material: Web Session Cookie | Stolen session tokens used to access corporate SaaS and cloud platforms as the victim |
Indicators of Compromise (IOCs)
Google has withheld specific technical details of how these exploits are being delivered — standard practice while the majority of users are still unpatched. Detection at the browser level is limited, but there are behavioral signals worth monitoring:
# Chrome CVE-2026-3909 / CVE-2026-3910 — Detection Indicators
# Browser process anomalies
Alert: Chrome renderer process spawning unexpected child processes
(cmd.exe, powershell.exe, sh, bash — not normal Chrome behaviour)
Alert: Chrome process accessing file paths outside normal browser profile directories
Alert: Chrome subprocess making outbound network connections
to non-Google, non-CDN destinations immediately after page load
# Credential and session theft indicators
Alert: Authenticated session from new device or geography
within short window of a known Chrome browsing session
Alert: Access to sensitive SaaS platform (email, HR, finance)
from IP inconsistent with user's known locations
Alert: Multiple SaaS logins in rapid succession from same session token
across different platforms — consistent with session cookie replay
# Extension-based persistence
Alert: New browser extension installed outside IT-approved list
Alert: Browser extension requesting broad permissions (read all site data,
access to all URLs) without user-initiated install event
# Network indicators (post-exploitation)
Alert: Outbound connections to domains registered within last 30 days
originating from browser process
Alert: Encrypted traffic from Chrome to non-CDN IP during non-browsing hours
Alert: DNS queries to newly-registered or low-reputation domains
immediately following browser session on external site
# Patch status detection
Alert: Chrome version below 146.0.7680.75 detected on any endpoint
as of March 13, 2026 — treat as unpatched and high-risk
SOC Alert Priorities
Alert Priority 1 — Identify every unpatched Chrome instance across your environment today: Any Chrome installation below version 146.0.7680.75 is currently vulnerable to attacks that are confirmed to be happening right now. This is not a "patch in the next cycle" situation. Inventory your browser versions across all endpoints, administrator workstations, and shared systems. Unpatched machines should be treated as potentially already compromised until updated.
Alert Priority 2 — Monitor for authenticated sessions appearing from unexpected locations: The most practical post-exploitation signal for browser attacks is session anomalies. If an employee's authenticated session for email, a cloud platform, or an internal tool suddenly appears from a new device, a new location, or a new IP — especially shortly after they were browsing — treat it as a compromise indicator. Stolen session tokens work immediately and don't trigger password-based alerts.
Alert Priority 3 — Watch Chrome renderer processes for unusual child process activity: A browser that has been exploited will often attempt to run system commands through the browser process. Chrome's renderer spawning a command prompt or scripting engine is not normal behaviour and should trigger immediate investigation. If your endpoint detection tools can monitor process relationships, this rule should already be active.
Alert Priority 4 — Audit browser extensions across your estate: Post-exploitation persistence via browser extensions is well-documented. An attacker who gets code running inside Chrome may install a silent extension that captures future sessions, passwords, and page content. Any extension appearing on endpoints that wasn't deployed through your IT process warrants investigation, especially if it requests access to all websites.
Alert Priority 5 — Treat browsers as identity infrastructure, not just applications: The broader lesson of browser zero-days is that the browser is where your employees' identities live. Session tokens for every platform they use pass through Chrome constantly. If your security monitoring focuses on endpoints and network but doesn't include browser session analytics and identity monitoring across SaaS platforms, this attack class will repeatedly evade detection.
How to Update Chrome Right Now
Open Chrome and click the three dots in the top right corner. Go to Help, then About Google Chrome. Chrome will check for updates automatically and show you the current version. If it shows a version below 146.0.7680.75 (Windows/Linux) or 146.0.7680.76 (macOS), click the update button. Crucially — restart the browser completely after the update. Chrome downloads updates in the background but the patch is not active until the browser relaunches. Many people skip the restart and remain vulnerable without realising it.
For IT and security teams managing Chrome across an organisation: push version 146.0.7680.75/76 through your endpoint management system immediately. Do not wait for automatic rollout — Google acknowledges that automatic updates can take days or weeks to reach all users, which is too long given confirmed active exploitation.
This attack connects to a broader pattern — attackers targeting the tools people use for everything, rather than attacking infrastructure directly. The same identity-first logic applies to the social engineering attacks we've been tracking:
→ No Malware. No Exploit. Just a Phone Call — The Ericsson Breach Explained
And it's consistent with the privilege escalation wave we covered in this month's Patch Tuesday analysis:
→ Microsoft Patch Tuesday March 2026: 79 Fixes, One SQL Flaw That Hands Attackers Your Database
The ZyberWalls Perspective
Three Chrome zero-days in 2026. We're in mid-March.
Each one follows the same pattern: real attackers find a flaw, start exploiting it quietly, and Google's security team discovers it and patches it — sometimes within days, sometimes after weeks of active exploitation in the wild. Nobody knows how many people were compromised in that window. Nobody will.
The specific technical details of these two flaws will stay hidden until most Chrome users have updated — that's Google's policy, designed to prevent other attackers from copying the exploit before people are protected. It's a reasonable policy. It also means there's a race happening right now between people updating their browsers and attackers reaching as many unpatched targets as possible before the window closes.
The practical message is simple: the update is out. Update now, then restart Chrome. That's it. The threat is neutralised for anyone running the patched version.
The harder message is this: browser security is not a background concern. The browser is where people spend most of their working hours, where their credentials are stored, and where their authenticated access to every platform they use passes through constantly. A zero-day in Chrome is not a narrow, technical edge case. It's an attack on the tool that connects people to everything.
Eight Chrome zero-days were exploited in all of 2025. We already have three in 2026, and the year is barely started. That trajectory matters. Update your browsers. Update them as policy, automatically, across every device in your environment. Don't let a browser notification you dismissed last week be the reason an attacker is inside your network next week.
Stay Alert. Stay Human. Stay Safe.— ZyberWalls Research Team