Google Patches Two Chrome Zero-Days Exploited in the Wild — Skia and V8 Under Active Attack

Google released an emergency security update on March 13, 2026, patching two high-severity zero-day vulnerabilities in Chrome that are being actively exploited in the wild. Both flaws carry a CVSS score of 8.8 and affect core browser components — the Skia 2D graphics library and the V8 JavaScript engine — meaning every Chromium-based browser is potentially exposed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog on the same day, requiring Federal Civilian Executive Branch agencies to apply patches by March 27, 2026.

The Vulnerabilities

CVE-2026-3909 is an out-of-bounds write vulnerability in Skia, the open-source 2D graphics engine that powers Chrome's rendering pipeline for web content and UI elements. Out-of-bounds write bugs allow attackers to overwrite adjacent memory regions, potentially enabling arbitrary code execution or application crashes. In a browser context, Skia flaws are particularly dangerous because they can be triggered by any web page that exercises a specific rendering path — no user interaction beyond visiting the page is required.

CVE-2026-3910 is an inappropriate implementation vulnerability in V8, Chrome's JavaScript and WebAssembly engine. V8 processes active content during normal browsing, making it a persistent high-value target for exploit developers. The flaw allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page. V8 vulnerabilities are frequently weaponized in targeted attacks because JavaScript is constantly executed during normal web browsing, creating abundant exploitation opportunities.

Both vulnerabilities were discovered internally by Google and reported on March 10, 2026. Google patched them within two days for users in the Stable Desktop channel. As is standard practice with actively exploited flaws, Google has withheld technical details about exploitation methods and the threat actors involved.

Three Chrome Zero-Days in 2026 — and Counting

These patches bring Chrome's 2026 zero-day count to three in less than three months. The first, CVE-2026-2441 (CVSS 8.8), was a use-after-free vulnerability in Chrome's CSS component patched in mid-February after being discovered by security researcher Shaheen Fazim. That flaw could allow arbitrary code execution inside the sandbox via a crafted HTML page.

For context, Google patched eight Chrome zero-days throughout all of 2025, and Google Threat Intelligence Group tracked 90 zero-days exploited in the wild across all vendors that year — up from 78 in 2024. Enterprise technologies accounted for a record 48% of observed exploitation. The 2026 pace of three zero-days in under 75 days suggests this year could match or exceed 2025's total.

2025–2026 Chrome Zero-Day Timeline

The pattern of Chrome zero-day exploitation over the past 12 months reveals consistent targeting of two components: the V8 JavaScript engine (5 of 11 total zero-days) and graphics subsystems including Skia and ANGLE (3 of 11). The remaining flaws targeted CSS, the Mojo IPC framework, and the Loader component.

Chrome zero-day timeline March 2025 to March 2026 showing 11 CVEs by CVSS score and affected component. V8 engine accounts for 5 zero-days, graphics subsystems Skia and ANGLE for 3, and other components Mojo Loader and CSS for 3. — Chrome zero-day timeline: 11 actively exploited vulnerabilities from March 2025 to March 2026, color-coded by affected component.

Mar 2025: CVE-2025-2783 — Mojo sandbox escape exploited in Operation ForumTroll, an espionage campaign targeting Russian government organizations (discovered by Kaspersky).
May 2025: CVE-2025-4664 — Loader flaw enabling account hijacking via cross-origin data leakage.
Jun 2025: CVE-2025-5419 and CVE-2025-6554 — Two V8 vulnerabilities (type confusion and OOB memory access) discovered by Google TAG.
Jul 2025: CVE-2025-6558 — ANGLE/GPU sandbox escape reported by Google TAG.
Sep 2025: CVE-2025-10585 — V8 type confusion enabling heap corruption, patched within 24 hours due to active exploitation.
Nov 2025: CVE-2025-13223 — V8 type confusion linked to espionage operations, likely commercial spyware vendors.
Dec 2025: CVE-2025-14174 — ANGLE OOB memory access affecting macOS users.
Feb 2026: CVE-2026-2441 — CSS use-after-free, first 2026 zero-day.
Mar 2026: CVE-2026-3909 (Skia OOB write) and CVE-2026-3910 (V8 inappropriate implementation) — the two flaws patched this week.

Donut chart showing Chrome zero-day distribution by component. V8 engine 45 percent with 5 zero-days, Graphics subsystems Skia and ANGLE 27 percent with 3, Other components 27 percent with 3. 11 total zero-days in 12 months with 2026 on pace for 15. — Component breakdown: V8 dominates with 45% of Chrome zero-days since March 2025.

Why V8 and Skia Keep Getting Hit

V8's Just-In-Time (JIT) compilation pipeline transforms JavaScript into optimized machine code at runtime. The optimization introduces complexity that attackers repeatedly exploit — type confusion occurs when the JIT compiler is tricked into omitting type checks, enabling arbitrary memory read/write and bypassing protections like ASLR and DEP. HP Wolf Security's 2025 zero-day review notes that type confusion vulnerabilities dominated Chrome exploitation, accounting for three of eight zero-days that year.

Skia processes untrusted visual content from every web page a user visits. Memory corruption in the graphics pipeline has historically provided a reliable path for sandbox escapes and code execution when chained with other engine bugs. The combination of a Skia vulnerability (CVE-2026-3909) alongside a V8 vulnerability (CVE-2026-3910) in the same emergency release raises the possibility that the two flaws are being chained in the wild — though Google has not confirmed this.

Impact Beyond Chrome

Both Skia and V8 are shared components across the entire Chromium ecosystem. Microsoft Edge, Brave, Opera, Vivaldi, and any application embedding the Chromium engine are potentially affected until their respective vendors release corresponding updates. CISA's advisory explicitly notes that organizations using Chromium-based browsers or embedded Chromium engines should treat this as a high-priority remediation and detection exercise.

Patching and Mitigation

Google has released patched versions: Chrome 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux. Users can update via More > Help > About Google Chrome and clicking Relaunch. While Google states the out-of-band update could take days or weeks to reach all users, BleepingComputer confirmed the update was immediately available at time of publication.

Organizations should prioritize pushing the update across all managed endpoints, particularly administrator workstations and shared systems used for browsing. Until patches are applied, common delivery vectors for browser zero-days include watering hole attacks on legitimate websites, malvertising through ad networks, and compromised developer forums or tooling sites that serve exploit content to specific visitors.