Google just dropped an emergency Chrome update and if you haven’t restarted your browser yet, do it now.
Two Google 0days, CVE-2026-3909 and CVE-2026-3910, were already being actively exploited before Google even had patches ready. That’s the definition of a bad day. These weren’t just minor bugs either. They hit two core parts of the browser that attackers love to mess with.
The first one, CVE-2026-3909, is an out-of-bounds write flaw in Skia. That’s the graphics library Chrome uses to render basically everything you see on screen. Memory corruption bugs like this can allow attackers to crash your browser or in a worst case scenario run their own code on your machine.
The second one, CVE-2026-3910, is an implementation flaw in V8, which is Chrome’s JavaScript engine. This one is particularly nasty because all an attacker needs to do is get you to visit a compromised or malicious website and they’re potentially in business. You don’t have to download anything. You don’t have to click anything sketchy. Just visiting the wrong page can be enough.
The Google 0day is being locked down with the details.
Google is keeping the technical details locked down until most users have updated, which is pretty standard practice. The last thing they want is to hand exploit developers a blueprint while the majority of people are still vulnerable. Makes sense, even if it’s frustrating for those of us who like to know exactly what the hell is going on.
Both bugs were actually discovered in-house by Google, which is worth noting. Also worth noting is that Google paid out $17 million to nearly 750 security researchers through their Vulnerability Reward Program in 2025 alone. So at least they’re putting money into finding this shit before the bad guys do.
This isn’t even the first Google 0day rodeo this year. About a month ago Google patched CVE-2026-2441, another actively exploited zero-day involving Chrome’s CSS handling that could allow a malicious webpage to execute code inside the browser’s sandbox. That brings Chrome’s actively exploited vulnerability count to three already in 2026 and we’re not even close to halfway through the year.
The fix is already rolling out in the latest Chrome Stable update for Windows, macOS, and Linux. It should update automatically but if your browser is nagging you to restart, stop ignoring it. Go to your Chrome settings and trigger the update manually if you want to get it done right now. Then restart the browser.
Seriously. Do it now.
Recent Comments