About:
Multiple high-severity vulnerabilities affecting Google Chrome have been confirmed to be actively exploited in the wild. These flaws impact the Chrome Skia graphics library and the V8 JavaScript engine, two core components used to render web content and process web applications. Successful exploitation could allow attackers to trigger memory corruption or execute arbitrary code by convincing a user to visit a specially crafted website. Systems running outdated browser versions are at increased risk of compromise through malicious web content or exploit kits.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Out-of-Bounds Write Vulnerability in Google Chrome (Skia Graphics Library)
CVSS Score: 8.8 (High, CVSS v3.1)
Identifier: CVE-2026-3909
PoC or Exploitation:
Google confirmed that CVE-2026-3909 is actively exploited in the wild.
Update/ Patch:
Google released an emergency security update addressing this vulnerability.
Fixed versions include:Google Chrome 146.0.7680.75 for Linux
Google Chrome 146.0.7680.75/76 for Windows and macOS
Users should update Chrome through the browser's built-in update mechanism.
https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_12.html
Description:
CVE-2026-3909 is an out-of-bounds write vulnerability in the Skia graphics library used by Google Chrome to render web content and user interface elements. The flaw occurs when the browser improperly writes data outside the boundaries of allocated memory while processing certain graphical content.
A remote attacker can exploit this vulnerability by hosting a specially crafted HTML page designed to trigger the memory corruption condition.
Mitigation Recommendation:
Immediately update Google Chrome to version 146.0.7680.75 or later.
Ensure automatic browser updates are enabled across enterprise environments.
Apply updates to other Chromium-based browsers once vendor patches become available.
Restrict access to untrusted or suspicious websites and implement web filtering controls where possible.
Monitor endpoint security telemetry for abnormal browser crashes, suspicious browser processes, or indicators of exploit activity originating from web browsing sessions.
Inappropriate Implementation Vulnerability in Google Chrome V8 Engine
CVSS Score: 8.8 (High, CVSS v3.1)
Identifier: CVE-2026-3910
PoC or Exploitation:
Google has confirmed that exploits for CVE-2026-3910 exist in the wild.
Update/ Patch:
Google released emergency security updates addressing this vulnerability in the Chrome Stable channel.
Fixed versions include:
Google Chrome 146.0.7680.75 for Linux
Google Chrome 146.0.7680.75 / 146.0.7680.76 for Windows and macOS
Users should update Chrome through the browser's built-in update mechanism.
Description:
CVE-2026-3910 is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine used by Google Chrome. The flaw occurs when the browser improperly processes JavaScript or WebAssembly content from a web page.
A remote attacker can exploit this vulnerability by hosting a specially crafted HTML page designed to trigger the flaw within the V8 engine. When a victim visits the malicious page, the vulnerability may allow arbitrary code execution within the browser's sandbox environment.
Mitigation Recommendation:
Immediately update Google Chrome to version 146.0.7680.75 or later.
Ensure automatic browser updates are enabled across enterprise environments.
Apply updates to other Chromium-based browsers once vendor patches become available.
Restrict access to suspicious or untrusted websites and implement web filtering where possible.
Monitor endpoint telemetry for abnormal browser activity, unexpected crashes, or indicators of exploit attempts associated with web browsing sessions.