Google released emergency security updates to patch two high-severity Chrome zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910) that were actively exploited in the wild. CVE-2026-3909 is an out-of-bounds write in Skia, and CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript engine, both allowing for potential code execution.
Initial Access
Malicious Site Lure
likely
Users were reportedly lured to specially crafted malicious websites designed to trigger vulnerabilities in the Google Chrome browser.
Defender cut points
Web filtering and content inspectionUser awareness training against suspicious linksEmail security gateways to block phishing attempts
